Networking / Beginners

---

DNS and mail resolution

On the Internet, the DNS provides the mapping and translation of domain names to IP addresses, such as mapping server1.acme.com to 123.45.67.8. Some firewalls can be configured to run as a primary, a secondary, or a caching DNS server.

Deciding how to manage DNS services is generally not a security decision. Many organizations use a third party, such as an ISP, to manage their DNS. In this case, the firewall can be used as a DNS caching server, improving performance but not requiring your organization to maintain its own DNS database.

If the organization decides to manage its own DNS database, the firewall can (but doesn't have to) act as the DNS server. If the firewall is to be configured as a DNS server (primary, secondary, or caching), other security precautions must be in place. One advantage of implementing the firewall as a DNS server is that it can be configured to hide the internal host information of a site. In other words, with the firewall acting as a DNS server, internal hosts get an unrestricted view of both internal and external DNS data. External hosts, on the other hand, do not have access to information about internal host machines. To the outside world, all connections to any host in the internal network will appear to have originated from the firewall. With the host information hidden from the outside, an attacker will not know the host names and addresses of internal hosts that offer service to the Internet.

Tip A security policy for DNS hiding might state the following: If the firewall is to run as a DNS server, then the firewall must be configured to hide information about the network, so that internal host data are not advertised to the outside world.