Re: name server on firewall box?
On Sun, May 13, 2001 at 12:44:20PM +0200, Christian Volk wrote:
> I'm about to change ISPs for my ISDN dial-up account. My new
> ISP uses dynamic name server address assignment (W*****s
> I want to run the minium of services on my router/firewall. In
> the current setup the DNS server is on another box. It
> resolves the local names and forwards other requests to the
> ISP's name servers.
> With the new ISP it seems I don't have any choice but to move
> the name server to the router/firewall machine to set the IPs
> after dial-up.
> Is this advisable or should I find a method to communicate the
> name server IPs from the router/firewall on the other box?
Well... you do have a choice, but it's not necessarily a nice
1. How likely is it that the new ISP's name servers change
their IP addresses? i.e. can you get away with just pretending
they're static and hard coding them?
2. You could put something in your ip-up script that somehow
notifies your DNS server of the dynamically assigned name
3. You run the name server on your firewall, but make sure you
do the following:
a. Make sure your name server runs as a non-privileged
user. (See the -u and -g options.)
b. Make sure that it listens only on your INTERNAL
interface (and possibly loopback too.) (See the
listen-on option in the named.conf.)
c. Consider running it chrooted.
I hope that helps :)
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
firstname.lastname@example.org | Fax: +27 21 761 9930 | Kingsley Technologies