[ previous ] [ next ] [ threads ]
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] about a dns server ...
 Date:  Mon, 16 Jan 2006 10:55:20 -0600
From: "Wayne Fiori" <dev9null at gmail dot com>
> On 1/15/06, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> > From: "michael" <micatod at koproject dot org>

> > > I have to choose a new gateway,
> > > i'm very interresting in monowall,
> > > but i've to own a dns server on the same pc, so
> > > can someone tell me if it's possible to add something like bind??

> > There are many of us who feel adding additional services to a firewall
> > compromise security.  So, this will probably never happen.  Also, since
> > m0n0wall runs in RAM, the DNS tables could take up a bit of memory.  You
> > could use a development environment to add it yourself.  I have a 
> > virtual
> > one here. http://www.hosted.net.nz/VMDE/

> Beyond the extra RAM needed, running a name server on your enforcement
> point requires that the enforcement point allow connections (from LAN
> all addresses) to it on the name server's listening port. Any good
> security policy would never allow such a wide open security policy,
> even on the LAN.

With the m0n0wall DNS cache and DHCP this is already allowed.  However, the 
security of those two things is much better than BIND, for example.

> If possible, run a split DNS. A separate (small) server on the LAN
> that is authoritative for the local name space and forwards out to the
> upstream name server for other name space resolution. This reduces the
> foot print on the firewall and doesn't require the internal name
> server to have a routeable address.

This is best for security.  And with a linux or picobsd install, it can be 
quite secure, and on very old hardware.