2 Questions - forward zone and DNS firewalling
N6Ghost
n6ghost at gmail.com
Fri Oct 26 07:08:46 UTC 2018
On Thu, 25 Oct 2018 15:57:48 -0600
Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 10/25/18 2:34 PM, N6Ghost wrote:
> > I want to move a core namespace to the load balancer but i want
> > them to let me assign them a new zone thats internally
> > authoritative and use it as the LB domain.
> >
> > which would be:
> > cname name.domain.com -> newname.newzone.domain.com
> >
> > they want:
> > cname name.domain.com -> newname.oldzone.domain.com
> >
> > old zone is directly delagated from outside to them so we need an
> > internal forward zone for it. i dont want to rely on that.
>
> Can I ask why you don't like forwarded zones?
maybe its just old habits, i think its a bad idea to build your
infrastructure in a way the needs forward zones to work. not when you
can build it with proper delegation.
i just think when building namespaces proper delegation should be used
and forward zones should be avoided if you can.
>
> Is it a possibility to slave the zone off of them instead of
> forwarding to them?
>
> > any thoughts on this? what can i use to present to management to win
> > this?
>
> I think it comes down to pros and cons of each: existing zone +
> forwarders vs new zone.
>
> IMHO it's perfectly fine to have dislikes. You just need to be able
> to explain them and / or set them aside if someone explains their
> position better.
>
> > next, we where a bind shop but switched to infoblox for some stuff
> > and now out grew it. and are going back to bind.
> >
> > but we started using the dns firewall part of it and they actually
> > really liked it. any ideas for domain blacklisting? via some sort of
> > feed etc? what is everyone doing for that sort of thing?
>
> Response Policy Zone(s) are what you want. I thought that's how
> Infoblox did it themselves. Maybe they were using the newer Response
> Policy Service. - It's my understanding that the RPS API is open
> and documented. It's just that there aren't any Open Source / free
> RPS services.
>
> IMHO: RPS is similar to milter for Sendmail or WCCP for caching
> proxies.
>
>
>
More information about the bind-users
mailing list