[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] DNS on FW-1 under Solaris 2.6

To: Michael Alvarez <malvarez@isinet.com>
Subject: Re: [FW1] DNS on FW-1 under Solaris 2.6
From: Lance Spitzner <spitzner@dimension.net>
Date: Wed, 21 Apr 1999 09:20:23 -0400 (EDT)
Cc: fw-1-mailinglist@lists.us.checkpoint.com

On Tue, 20 Apr 1999, Michael Alvarez wrote:

> What's wrong with running DNS right on FW1?   Any information will be
> appreciated...

Normally, the less you run on the Firewall, the better.  So, adding
DNS software is an added security issue.  If you don't have to run
DNS on your FW, don't.  However, I have set it up for clients before.
If you don't have any better options, two recommendations.

1.  Use the latest version of Bind, 8.2, which  you can find at
http://www.isc.org/bind.html

2.  Make sure you limit what IPs can do zone transfers from your
DNS.  Limit this with both the FW software and the DNS configuration
files, something like this:

--- snip snip ---

/*
 *     Master domain zone files
 */

zone "example.net" in {
        type master;
        file "master/example.net";
        allow-transfer {192.168.1.132;};
};

--- snip snip ---

Hope that helps :)
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Logswitch problem
Next by Date: Re: [FW1] Cannot connect to Server
Prev by thread: [FW1] DNS on FW-1 under Solaris 2.6
Next by thread: [FW1] Install security policy failed on version 4.0
Index(es):
- Date
- Thread