Unapproved AXFR?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Dec 14 20:34:12 UTC 1999
Dave Wreski wrote:
> I had a question about split DNS, actually. Is there really much
> difference between configuring split DNS and creating zones that are not
> resolvable from unauthorized domains? Now that bind8 has allow-query, it
> seems less of an advantage...
Allow-query is best used for fine-grained access to DNS data; if you want to
just make a certain zone non-queriable from the Internet, it's almost always
better to just run a separate external instance of named and then not define and
not delegate the zone in that server instance. It's a little more maintenance,
perhaps, but it generates less curiosity than allow-query does (because to the
Internet, the zone simply doesn't exist), and it provides the necessary
framework for true split-DNS should it become necessary, e.g. if you want to
hide part of a zone, or if you have data in a zone which must resolve
differently externally versus internally.
- Kevin
More information about the bind-users
mailing list