2 Questions - forward zone and DNS firewalling

[Grant Taylor]

On 10/25/18 2:34 PM, N6Ghost wrote:
> I want to move a core namespace to the load balancer but i want them to
> let me assign them a new zone thats internally authoritative and use it
> as the LB domain.
> 
> which would be:
> cname name.domain.com -> newname.newzone.domain.com
> 
> they want:
> cname name.domain.com -> newname.oldzone.domain.com
> 
> old zone is directly delagated from outside to them so we need an
> internal forward zone for it. i dont want to rely on that.

Can I ask why you don't like forwarded zones?

Is it a possibility to slave the zone off of them instead of forwarding 
to them?

> any thoughts on this? what can i use to present to management to win
> this?

I think it comes down to pros and cons of each:  existing zone + 
forwarders vs new zone.

IMHO it's perfectly fine to have dislikes.  You just need to be able to 
explain them and / or set them aside if someone explains their position 
better.

> next, we where a bind shop but switched to infoblox for some stuff and
> now out grew it. and are going back to bind.
> 
> but we started using the dns firewall part of it and they actually
> really liked it. any ideas for domain blacklisting? via some sort of
> feed etc? what is everyone doing for that sort of thing?

Response Policy Zone(s) are what you want.  I thought that's how 
Infoblox did it themselves.  Maybe they were using the newer Response 
Policy Service.  -  It's my understanding that the RPS API is open and 
documented.  It's just that there aren't any Open Source / free RPS 
services.

IMHO:  RPS is similar to milter for Sendmail or WCCP for caching proxies.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181025/3e383fed/attachment-0001.bin>