From: "Wayne Fiori" <dev9null at gmail dot com>
> On 1/15/06, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> > From: "michael" <micatod at koproject dot org>
> > > I have to choose a new gateway,
> > > i'm very interresting in monowall,
> > > but i've to own a dns server on the same pc, so
> > > can someone tell me if it's possible to add something like bind??
> > There are many of us who feel adding additional services to a firewall
> > compromise security. So, this will probably never happen. Also, since
> > m0n0wall runs in RAM, the DNS tables could take up a bit of memory. You
> > could use a development environment to add it yourself. I have a
> > virtual
> > one here. http://www.hosted.net.nz/VMDE/
> Beyond the extra RAM needed, running a name server on your enforcement
> point requires that the enforcement point allow connections (from LAN
> all addresses) to it on the name server's listening port. Any good
> security policy would never allow such a wide open security policy,
> even on the LAN.
With the m0n0wall DNS cache and DHCP this is already allowed. However, the
security of those two things is much better than BIND, for example.
> If possible, run a split DNS. A separate (small) server on the LAN
> that is authoritative for the local name space and forwards out to the
> upstream name server for other name space resolution. This reduces the
> foot print on the firewall and doesn't require the internal name
> server to have a routeable address.
This is best for security. And with a linux or picobsd install, it can be
quite secure, and on very old hardware.