In message <http://marc.info/?l=openbsd-misc&m=119514716426646&w=1>,
I wrote:
> I'm setting up a home firewall, intended to (try to) protect "client"
> machines (mostly family members' MS-Windoze laptops) from misc internet
> threats.
[[...]]
> My plan is to have the firewall run its own dhcpd on its inside interface,
[[...]]
> The purpose of this message is to ask for advice on how to handle
> DNS on the firewall. I can see two basic options:
> (a) [[firewall gives out outside DNS server addresses to inside
> machines via dhcp]]
> (b) [[firewall tells inside machines that the
> firewall itself is a DNS server; firewall runs a DNS proxy to
> pass DNS requests on to outside DNS servers]]
I'd like to thank the many people who responded, both on the list and
by private E-mail. Here's a synopsis of the replies:
* Opinion was unanimous that (b) is more secure, and generally better.
* OpenBSD's named will work fine as my "DNS proxy" (more accurately,
recursive resolver) on the firewall; it should need very little
configuration to do this, quite possibly just named_flags="" in
/etc/rc.conf.local
* Several people mentioned that having the firewall's named *cacheing*
DNS entries will also improved reliability (since ISP nameservers are
often flakey). One person also mentioned that s/he uses uses opendns.com
instead of ISP nameservers.
Again, my thanks to all who responded.
ciao,
--
-- Jonathan Thornburg (remove -animal to reply) <[EMAIL PROTECTED]>
School of Mathematics, U of Southampton, England
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
