MX Record/DNS help needed
Brad Knowles
brad.knowles at skynet.be
Fri Jun 29 17:19:21 UTC 2001
At 9:20 AM -0700 6/29/01, BCC wrote:
> This machine has two primary purposes:
> 1. To be a webserver
> 2. To forward email sent to nextproteins.com to the exchange server, port 25.
Seems to me that you can split off the mail portion to a separate
machine, and have it do the forwarding. The web server and the mail
server both could have local caching-only/recursive nameservers that
they use to resolve any questions they may have, but if you set them
listening only on 127.0.0.1, then you don't have problems with people
outside your network trying to abuse them.
If you still need one or more authoritative nameserver(s), you
could set them up on other machines, which are dedicated to this
purpose.
The problem is that the more things you have running on a
machine, the more chances you have that one of them will be insecure,
and result in a security compromise. If that happens, you trash
everything on that one machine.
If you split the services up onto dedicated separate machines,
then if one of them is compromised this doesn't necessarily mean that
the attackers will have any additional luck in breaking into any of
the other machines (if they're all properly secured, that is).
If at all possible, you really, really want to make sure that you
run separate dedicated servers for each role, and do not try to make
a machine perform more than one major function.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list