Author: Simon Capstick Date: To: Hampshire LUG Discussion List Subject: Re: [Hampshire] DNS servers in DMZ's, good or bad idea ? Discuss
Brian Chivers wrote: > I have been "tasked" with replacing our main internet facing DNS server
> and have been looking into the various such as chroot environments. I'd
> planned on using a base install of Etch as the OS platform.
>
> Chroot's seem like a really good idea but one thing I thought that I
> could do to increase security is to run the it in our DMZ. I can have
> multiple external IP addresses on our firewall so this isn't a problem
> and the just port forward port 53.
>
> Am I missing something, would this work and does anyone have any advice
> about this ??
>
> Thanks
> Brian
I thought the purpose of a DMZ was to stop or limit the 'rot' should a
host in the DMZ be compromised. Ideally you would have a DMZ for each
server so that traffic between them is strictly defined and stops you
from having one big soft spot (lots of servers in one DMZ).
Don't forget you can always use a virtual machine solution like Xen. If
you're paranoid then it offers another level of security over chroot.
I've never tried it but you should be able to set-up iptables between
the VMs thus giving each server their own specific DMZ. You could even
periodically scan LVM snapshots of your VMs for rootkits without
stopping them. I don't know if this has real-life usefulness but it
appeals to me :-)
