Re: dns outbound

[Larry Chin <larry () sprint ca>]

I think the question should be why do they want to do this ? 

I would suggest that you set up a split brain dns and that should solve
most DNS associated problems. Basically your internal DNS ( with all the
domain info ) would be configured as a slave and forward requests for DNS
info that it did not have to the external DNS server ( which would only
have info for exposed systems and no info for anything behind the 
firewall ).

As for pros and cons, IMHO, there is no reason to allow it and due to the
potential risk and with a split brain dns you can at least control what
info is being served up to the world.

Just my .02 cents worth, hope it helps

 

===================================================================
Larry Chin {larry () sprint ca}      Technical Specialist - ISC
Sprint Canada                     2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693     Suite 200, North York, Ontario
Fax:   416.498.3507               M2J 5E6
===================================================================

On Thu, 13 May 1999, Deepak Vaidya wrote:

> Hello,
>
> This is going to be a stupid question, but I hope someone can answer the
> question without my being flamed :-(.
>
> I have gotten a request to allow all clients behind a firewall to have
> unrestricted access to dns servers outside the firewall.  
>
> Can I get help in coming up with pros and cons off doing that.  I tried to
> search the archives but the search page is not working properly.
>
> I am not comfortable in allowing udp packets outbound from all systems.
> If it helps we are using firewall-1.
>
> Thanks
> - Deepak