[ previous ] [ next ] [ threads ]
 
 From:  Wayne Fiori <dev9null at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] about a dns server ...
 Date:  Sun, 15 Jan 2006 23:01:54 -0800
On 1/15/06, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> From: "michael" <micatod at koproject dot org>
>
> > I have to choose a new gateway,
> > i'm very interresting in monowall,
> > but i've to own a dns server on the same pc, so
> > can someone tell me if it's possible to add something like bind??
>
> There are many of us who feel adding additional services to a firewall
> compromise security.  So, this will probably never happen.  Also, since
> m0n0wall runs in RAM, the DNS tables could take up a bit of memory.  You
> could use a development environment to add it yourself.  I have a virtual
> one here. http://www.hosted.net.nz/VMDE/
>

Beyond the extra RAM needed, running a name server on your enforcement
point requires that the enforcement point allow connections (from LAN
all addresses) to it on the name server's listening port. Any good
security policy would never allow such a wide open security policy,
even on the LAN.

If possible, run a split DNS. A separate (small) server on the LAN
that is authoritative for the local name space and forwards out to the
upstream name server for other name space resolution. This reduces the
foot print on the firewall and doesn't require the internal name
server to have a routeable address.
--
=Wayne