I'm looking for a solid but fairly priced firewall that will
specifically allow me to host my own MX record and act as Primary NS
for my domain. Any suggestions?

In article <1118779778.239818.280350 [at] f14g2000cwb.googlegroups.com>,
neophite <jpbaca02 [at] comcast.net> wrote:
:I'm looking for a solid but fairly priced firewall that will
:specifically allow me to host my own MX record and act as Primary NS
:for my domain. Any suggestions?

Those aren't traditional firewall features -- I can't say that
I've ever encountered a firewall appliance that was also a DNS server.

There are two traditional firewall features that I can think of
may be of interest to you: port forwarding; and DNS address
translation of internal IP addresses to external addresses.

Port forwarding is very common, even in low-end devices that do not
keep track of packet state. For port forwarding, you usually just
go into a simple configuration screen, enter the port number
as known to the outside world, enter the internal IP address you
want the packets forwarded to, and enter the internal port number
on that internal machine (the same as the external port number
much of the time.)

DNS address translation is a convenience. If you have DNS
address translation, then when your internal machines query your
internal DNS server, then they get told the internal IP addresses,
but when external machines query the -same- internal DNS servers,
they get told the external IP address. This allows you to use a single
DNS server for internal and external clients. If you do not have
that feature, then you either need to configure different DNS servers
for internal and external clients, or else you need to configure
a single DNS server to have "split views", in which it specifically
notices where the query is coming from and returns different data
to the different callers [this may require essentially duplicating
records, but at least it doesn't require a second server.]

An example of a firewall that does do DNS address translation
is the Cisco PIX 501. But as I indicated above, with a bit of work
you can get away without having this feature: in that case,
you are just looking for standard firewall functionality, and
the model of the device you buy will depend on your other needs
(e.g., bandwidth shaping, content filtering, virus checking), and
upon your Threat Risk Assessment.
--
"Never install telephone wiring during a lightning storm." -- Linksys

There are some software based firewalls that allow for this.
Specifially the old NAI Gauntlet firewall used to allow for this. It
was very handy, and I'd love that functionality back. I'd rather not
deal with a seperate DNS/SMTP server if at all possible.

neophite wrote:

> There are some software based firewalls that allow for this.
> Specifially the old NAI Gauntlet firewall used to allow for this. It
> was very handy, and I'd love that functionality back. I'd rather not
> deal with a seperate DNS/SMTP server if at all possible.

Filtering devices should run and offers as little services as possible. In
the case of an exploit in a service which the filtering device offers,
your gateway is toast. You definitely don't want to risk that. Gateways
are gateways and servers are servers. Period.

Wolfgang

Wolfgang is right, invest in a firewall and make the DNS server a
seperate system. Just throw togather a cheap Linux or BSD system for
your DNS.

-Jared

Post removed (X-No-Archive: yes)

"neophite" <jpbaca02 [at] comcast.net> wrote in message
news:1118779778.239818.280350 [at] f14g2000cwb.googlegroups.com.. .
> I'm looking for a solid but fairly priced firewall that will
> specifically allow me to host my own MX record and act as Primary NS
> for my domain. Any suggestions?
>

Symantec Raptor may be able to provide the features you desire. I
personally think Raptor sucks, but it does have that feature.

I realize that smtp (MX) and NS (DNS) have nothing to do with the
firewall, but for ease of adminstration and security, it would be
extremely handy to have a box that provides all these features on one
box.
I also understand DNS and it's functionality, however, it's not true
that it runs specifically on the inside to forward outside. I need a
NS on the outside because I am "primary" for my domain, therefore the
need to have a secured DNS server on the outside of my firewall, or
part of the firewall.
Same goes for my SMTP traffic. I host my MX record, therefore need a
secure SMTP server on the outside.

In article <1118853724.975022.111700 [at] g14g2000cwa.googlegroups.com>,
neophite <jpbaca02 [at] comcast.net> wrote:
:I also understand DNS and it's functionality, however, it's not true
:that it runs specifically on the inside to forward outside.

I must have missed the posting in which anyone said that it did?

: I need a
:NS on the outside because I am "primary" for my domain, therefore the
:need to have a secured DNS server on the outside of my firewall, or
:part of the firewall.

What you want is not really a DNS server on the outside: what you
want more is a DNS server on a DMZ ("Delimiterized Zone") -- something
that can be -reached- from the outside, but has its ports secured by
the firewall, and which can only reach to the inside systems to the
extent that you have specifically configured.

:Same goes for my SMTP traffic. I host my MX record, therefore need a
:secure SMTP server on the outside.

Again, not on the outside, on a DMZ.

You will see DMZ listed against quite a few low-end devices, but
in many of the low-end devices, "DMZ" is just a way of saying,
"an address which is not subject to the firewall protections, and
which is expected to have been secured some other way." The "DMZ"
on such devices might operate in public IP space, or might operate
in the private NAT'd IP space, but on the low-end devices there
often is little or no barrier between the "DMZ" and the "inside".

A proper DMZ requires an extra interface (or at least use of VLANs)
and mechanisms for seperately configuring the interactions between
outside and DMZ, outside and inside, and DMZ and inside.

I do not happen to be familiar with any consumer-class firewalls that
provide a real DMZ. There are probably some out there; I just don't
know of them.

Earlier I mentioned the Cisco PIX 501: it does NOT have DMZ capability
(the Cisco PIX 506/506E does, but only via VLANs; the lowest commonly-
available PIX model with seperate interfaces is the 515 and 515E.)
--
History is a pile of debris -- Laurie Anderson

Post removed (X-No-Archive: yes)

Leythos <void [at] nowhere.lan> wrote:
>
>> I need a
>> NS on the outside because I am "primary" for my domain, therefore the
>> need to have a secured DNS server on the outside of my firewall, or
>> part of the firewall.
>
> If you purchased a domain name, you might find it easier to allow the
> provider to host your public DNS, it's one less machine you have to
> purchase, and it's likely to be more reliable than running your own
> DNS server unless you have a real data center.
>
>> Same goes for my SMTP traffic. I host my MX record, therefore need a
>> secure SMTP server on the outside.
>
> Again, you need a DNS service exposed through the firewall and located
> in your DMZ, do not put the DNS server outside the firewall. I would
> suggest that you host your DNS at your ISP or domain name providers
> location. We have about 80 domain names, not one of them is hosted on
> our DNS Servers, we have them configured with our domain name
> providers.

There can be good reasons to run your own DNS server, or at the very
least be a "hidden" primary that the ISP gets zone files from.
Lack of knowledge and understanding of DNS is the main concern -- most
providers simply don't grok DNS, but are happy enough if it appears to
"work" with very limited functionality. I bet that 9 out of 10 ISPs
won't let you update entries using key signed update requests -- simply
because they have no clue how to set this up. Nor have a different view
for requests from your site.

Here, I have the DHCP server updating the DNS server as machines go
online/offline, and only known clients can query local machines, or get
an internal MX for mail. I doubt there's many ISPs that would handle
such a setup for you.

Also, there's firewall appliances that will proxy DNS requests, so you
don't really need to expose the DNS server through the firewall
(although it's always a good idea to put boxes serving the outside world
in a DMZ).

Regards,
--
*Art

If you really want to get fancy there are firewalls out there (Sidewinder
for one) which run a split-dns and spli-sendmail configuration.


"Leythos" <void [at] nowhere.lan> wrote in message
news:MPG.1d193af63487726d98990e [at] news-server.columbus.rr.com. ..
> In article <1118779778.239818.280350 [at] f14g2000cwb.googlegroups.com>,
> jpbaca02 [at] comcast.net says...
>> I'm looking for a solid but fairly priced firewall that will
>> specifically allow me to host my own MX record and act as Primary NS
>> for my domain. Any suggestions?
>
> Firewalls and MX/DNS have nothing to do with each other.
>
> DNS is a service that runs on a computer - it should be inside your LAN
> and provide DNS Forwarding for things that resolve outside your LAN.
>
> Firewalls are for blocking access - they have nothing to do with DNS.
>
> --
> --
> spam999free [at] rrohio.com
> remove 999 in order to email me

Look at the Sidewinder appliance. We have customers using it in the
configuration you are talking about. it will cover DNS for your internal
network, DMZ and external network for providing name services.



"Wayne" <richard.field.nospam [at] insightbb.com> wrote in message
news:uoKre.59632$nG6.3234 [at] attbi_s22...
>
> "neophite" <jpbaca02 [at] comcast.net> wrote in message
> news:1118779778.239818.280350 [at] f14g2000cwb.googlegroups.com.. .
>> I'm looking for a solid but fairly priced firewall that will
>> specifically allow me to host my own MX record and act as Primary NS
>> for my domain. Any suggestions?
>>
>
> Symantec Raptor may be able to provide the features you desire. I
> personally think Raptor sucks, but it does have that feature.
>

Post removed (X-No-Archive: yes)