IP address for DNS server

**bkesting** · 01-06-2006, 07:03 PM

Hello,

I am about to setup a DNS server for my corporate network. Once in place I will add web and mail servers as well. Since I will be hosting services, I need a nameserver to handle DNS requests from the Internet for my domains.

Now here's my question.....I have a linux iptables firewall/router in place now. Do I assign my new nameserver a local private IP and have DNS requests from the Internet forwarded by my firewall to my locally addressed box, or should I just go ahead and assign a public IP to my nameserver and install iptables on it as well?

Thanks for any advice you can offer.

**starfish** · 01-07-2006, 02:14 PM

I'd put the server on the outside with iptables.

Putting it on the local network runs the risk of someone hacking the box via a DNS exploit and then gaining unrestricted access to the rest of your network.

Another soultion is to add another leg to the firewall and place it on that network. This would be a classic DMZ configuration, but remember that as much as possible, only allow inbound connections to the servers in the DMZ for best security. This way a hacked DMZ server won't have access to your corporate network.

If teh DMZ DNS servers are using NAT, then you'll probably have to use BIND zones to get your DNS correct to provide private IPs for the corporate queries and public IPs for queries from teh Internet.

The Linux Home Networking site has rought outlines on how to do this.