New DMZ Questions

I am setting up a new DMZ on my personal home net. I have commercial fw experience. However, the personal net uses linux and iptables. It requires command-line config and is more involved to get it right. I have a tested fw script and am ready to cut over, however I have a few remaining services to configure to get the whole thing working as I want. Specifically DNS in the DMZ. Do you think I should house official DNS (and possibly official sendmail in the future) on the fw box in split-level mode or another separate box (P266, 192MB)? The www host is a Solaris8 machine with 512MB. My cable ISP will not host DNS without fee. This is just a small home web and photos for family, but allowing the whole world at it with public exposure requires me to provide the real features needed along with the real security.

info: iptables on redhat 2.6 www in dmz on solaris 8 internal dns caching host

Reply to
Gregory W Zill
Loading thread data ...

Are you talking about DNS servers for your normal internet access or name servers for your domain? I'm assuming the latter ...

How much fee? I pay $10/year/domain at SecuritySpace, which I find well worth it to not mess with in-house name servers. Particuarly since to do it right, you need at least two name servers that are on different networks (so that one going down won't affect the other one). With SecuritySpace my data can be available on up to seven name servers scattered around the world.

That being said, if I *were* running my own name servers, I would put them in the DMZ, not on the firewall. My Linux-based firewall/router does only that. My websites and email are on my Linux-based server in my DMZ.

Reply to

Good advice, Ken. My ISP -- Cox Cable of Omaha -- *will* provide DNS services included with my business account as long as they are authoritative. So, good deal for me, there. Now all I have to do is harden the system and start developing web pieces.

FYI: Sun Ultra10 with Solaris8 will be hosting an XAMPP platform for web and a blog, picture gallery and maybe some RSS.


Reply to
Gregory W Zill

My connectivity is with Cox of Las Vegas NV. I'm going to be getting a second broadband connection (DSL or wireless).

I use Cox only for the connectivity, static IP address, reverse DNS on the IP address, and I use their DNS servers (not name servers) for internet access.

I prefer to scatter things around so I use SecuritySpace for name servers, Supernews for newsgroups, a small ISP in North Carolina for SMTP relay, CompuServe for a dialup backup to my broadband (until I get my second broadband connection), etc. For registering domains I deal directly with a registrar, not a reseller, and always do the registration myself.

It costs me more money to do things this way, but I'm less dependent on any one company.

Reply to
Ken Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.