DNS on Firewalls
A firewall is very security sensitive. If you're going to run BIND on your firewall, and some firewall solutions recommend this, you should secure your BIND in every way. In addition, you especially should run it in a chroot environment and with changed user and group IDs, as discussed earlier in this chapter.
If you run DNS on your firewall, it is usually used as a proxy for the internal DNS servers. This way, your internal DNS servers never talk to outside servers, and any DNS attacks can be directed at only the firewall, which is the point of a firewall, of course. The downside is that, unless your firewall is redundant, this is a single point of failure in your DNS. However, if your firewall fails, you won't have Internet ...
Get Concise Guide to DNS and BIND, The now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.