DNS IP address

[bkesting]

I am about to setup a BIND name server on my network. Should I give this box a public IP address and use iptables to stop all but dns traffic to this box, or should I place this server behind my existing firewall and give it a private IP and setup forwarding rules to this box?

Thanks in advance for any advice...

[Roxoff]

Personally, I'd keep it behind my firewall and only let it farm out local IP addresses to the lan, and not handle requests from the internet. I'd choose that option because it's less of a security vulnerability, and I'd leave my static IP pointed merrily at my firewall. This may sound like a 'would-be' situation, but in reality, it's exactly how my lan is configured.

[bkesting]

I need this name server to handle requests from the Internet though, for web and mail services.

[Roxoff]

Well, I found that you dont need to worry about that if whoever is hosting your domain records has everything set up correctly - i.e. your MX record points at your static IP and your domain with no www prefix (e.g. "domain.com", not "www.domain.com") points at your static IP too. You can use virtual hosting under apache to have different websites, and your mail gets delivered right.

If you have to run your DNS server live on the internet, then do so, but it's open to abuse so be aware of the risks - and domain lookups from outside will sap your bandwidth.