> Architecturally, I would contend that the ideal design of a > network that connects to the Internet will not have random > individual hosts making DNS requests to a public server on > the opposide side of a firewall. DNS requests should go > through one's own forwarder/proxy/local DNS server/whatever > so that only one or a limited number of entities are sending > queries thru a firewall to the public Internet. > > Those hosts allowed to make such queries should be limited in > function to just that function, if possible. We know > historically that the code for many common DNS servers has > had their share of security bugs, so said hosts should > themselves be firewalled off, down to just the connections + > directions required. Again, might not be possible, but in > any case said host should not be running services like SQL > Server which have high bug potential and tend to be used for > end-user data handling, and don't typically need connectivity > to the public world. It just doesn't make sense to put an > app like that on the same system as a DNS server/proxy/whatever. I fully agree and this might be an additional cause of the problem. Look at Microsofts Small Business Server package - it is exactly promoting this. Put everthing on a single machine (even the firewall, I think ;)) and be happy with it... Rainer Gerhards Adiscon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 12:26:27 PST