ipv4, ipV6 DNS BIND configuration and deployment
Mark Andrews
marka at isc.org
Mon Aug 5 01:12:15 UTC 2013
In message <51FEB96D.3070800 at pacbell.net>, Eduardo Bonsi writes:
> Hello Everyone,
>
> I have some questions about ipV6 transition and DNS configuration!
>
> I am preparing to make my transition to a dual stack ipv4, ipv6 and I
> have some concerns in regards to the security of the network since ipv6
> do not have NAT. My ISP gave me a Global
> 2602:000:000:000:000:000:000:000/64
Truly, your ISP should be giving you a /48 or as a minumum a /56.
A /64 is is single subnet. Your ISP will be getting addresses based
on giving customers a /56 or /48.
> Range and I can just turn on ipV6 on
> the router and set the network to automatic on the computer and I am
> connected through what they call a SLAAC ipV6 automatic conf network,
> that runs using the machine MAC address in which I am not very happy to
> adopt. I well know there is a way to mask the MAC address to random
> addresses as a security measure but I am still not happy about it.
And why are you not happy? Because someone said their was a issue
with it. Do you understand the reasoning behind the issue and does
it apply to your use of the network because in many cases it doesn't.
Too often I see people complaining that MAC addresses are buried
in IPv6 addresses when in reality it is *not* a security issue for
the use case.
Modern IPv6 stacks use both types of address for different purposes.
Saying one is unhappy is quite often a knee jerk reaction that
doesn't standup to rigorous analysis. This is not to say you havn't
done that analysis but given modern stacks I find complaints like
this just don't stack up.
> Beside, there are all the BIND DNS configuration that needs to be routed
> or I am stack with a slow broke SLAAC connection that it works, but not
> to the level of the a DNS Server that I want to achieve. Therefore, as a
> network design after analyzing my options, I have decided to use the
> static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
> bit of the ipv4 NAT addresses already in place. This static option does
> not expose the machine MAC addresses.
>
> However the addresses are directed
> connected through ipV6 bypassing the NAT environment. On BIND, the only
> change I have in the named.conf file is the,
>
> listen-on-v6 { any; };
>
> Therefore, here are my questions:
>
> 1. I am open to ideas or anything you think is best choosing the best
> internal network design for ipV6.
Get more address space from your ISP. Use tempory addresses.
> 2. Since this static ipV6 deployment lacks the non-rotatable NAT
> environment, what are the security measures to take on BIND in regards
> to the recursive issues on ipV6?
Same as with IPv4. Locally connected networks are allowed to
recurse.
> 3. Are there any other security issues that should I considerate?
>
>
> Many Thanks!
>
> Eduardo
>
> --
> Eduardo Bonsi
> System - Network Admin
> beartcom at pacbell.net
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list