[ale] DNS best practices

Jeff Hubbs hbbs at comcast.net
Sat Dec 11 10:45:17 EST 2004


When I wrote that, for some reason I was thinking about just DNS
resolution for the Internet (i.e., caching), but now I realize that it's
for resolution of *inside* machines.  Duh on me!  Long week.

Jeff

On Fri, 2004-12-10 at 23:41, Jeff Hubbs wrote:
> Just so I understand, why/when is it necessary to do this?  When your
> shop is big enough that DNS requests going out over the Internet become
> a significant consumer of bandwidth?
> 
> - Jeff
> 
> On Fri, 2004-12-10 at 19:22, Bob Toxen wrote:
> > On Fri, Dec 10, 2004 at 10:44:33AM -0500, Cordell, Ron wrote:
> > > Hi all,
> > 
> > > I was hoping to draw on your expertise to get an idea of some best
> > > practices for DNS. 
> > 
> > > I'm trying to determine if it is best to have one DNS server, or
> > > multiple DNS servers for an environment. The environment consists of a
> > > few hosts in a DMZ, with many hosts behind a firewall (behind the DMZ).
> > > The hosts behind the firewall are divided up into vLANs, and are in
> > > several subdomains. Does it make sense to put a single DNS server in the
> > > DMZ, and use that, or would you recommend putting the server elsewhere?
> > > If machine resources are scarce, I don't want to have to create a lot of
> > > DNS servers.
> > 
> > > I appreciate any suggestions.
> > If your firewall is good, i.e., someone on the Internet cannot spoof
> > packets to appear to come from your DNS server, then one DNS server
> > (or a pair for redundancy) in the DMZ should suffice, assuming it is
> > running on a hardened Linux or UNIX system.
> > 
> > Of course, you'll want to ensure that your internal DNS entries cannot be
> > obtained by anyone from the Internet.  Of course, properly configuring
> > a DNS server is non-trivial.  You'll also want to ensure that it's kept
> > up-to-date w.r.t. security patches.
> > 
> > > -ronc
> > 
> > Bob Toxen
> > Fly-By-Day Consulting, Inc.
> > "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> > Network Monitoring, and Network Security consulting"
> > 
> > http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
> > http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
> > bob at verysecurelinux.com (e-mail)
> > +1 770-662-8321  (Office: 10am-6pm M-F US Eastern Time)
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list