From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 21 20:24:51 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0017F16A41F
	for <freebsd-questions@freebsd.org>;
	Fri, 21 Oct 2005 20:24:50 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from grog.secure-computing.net (grog.secure-computing.net
	[216.243.161.73])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B32AB43D62
	for <freebsd-questions@freebsd.org>;
	Fri, 21 Oct 2005 20:24:41 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from [192.168.1.101] (snipe.secure-computing.net [216.243.161.77])
	(authenticated bits=0)
	by grog.secure-computing.net (8.13.1/8.13.1) with ESMTP id
	j9LKSr3x049501
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT);
	Fri, 21 Oct 2005 15:28:54 -0500 (CDT)
	(envelope-from ecrist@secure-computing.net)
DomainKey-Signature: a=rsa-sha1; s=grog; d=secure-computing.net; c=nofws; q=dns;
	h=in-reply-to:references:mime-version:content-type:message-id:cc:
	content-transfer-encoding:from:subject:date:to:x-mailer:x-spam-status:x-spam-checker-version;
	b=gAw1+tL0dd2g5d6guwJeDtjbK/ByuhH43GMzkXe/ZTaxdU1J1mr1n2ieg36Jy3PeE
	KyfOiKcDQc2CcoGBtyC6w==
In-Reply-To: <20051021130441.GA14018@phenix.rootshell.be>
References: <20051021130441.GA14018@phenix.rootshell.be>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <B3DDA160-2A2E-46CC-A540-81C0BBCD7813@secure-computing.net>
Content-Transfer-Encoding: 7bit
From: Eric F Crist <ecrist@secure-computing.net>
Date: Fri, 21 Oct 2005 15:24:29 -0500
To: kilim <kilim@phenix.rootshell.be>
X-Mailer: Apple Mail (2.734)
X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 
	autolearn=ham version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on 
	grog.secure-computing.net
Cc: freebsd-questions@freebsd.org
Subject: Re: DNS server on firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2005 20:24:51 -0000

On Oct 21, 2005, at 8:04 AM, kilim wrote:

> Hi,
>
> I'm getting a second machine next week and was wondering if the
> following settup would be ok:
>
> 1st machine pf + NAT and also primary DNS
> 2nd machine as a secondary DNS
>
> Now I know that its not the smartest thing to do, have primary DNS on
> the firewall, but I'm thinking since the DNS is going to be chrooted,
> it would be ok, no ?
>
> What do you think ?
>
> Thank you !

You're better off not installing and running a DNS server on your  
firewall.  I would recommend you simply turn your new machine into  
your primary DNS server and ask/pay someone to host a secondary  
server for you.

_______________________________________________________
Eric F Crist                  "I am so smart, S.M.R.T!"
Secure Computing Networks              -Homer J Simpson