Forwarding to a non-standard port

John Tan d_name at hotmail.com
Thu Jul 15 13:07:15 UTC 1999 

I was just wondering that if you disable the recursion, then if the users on 
the internal network want to browse the internet, wouldn't the forwarder to 
the external DNS fail or did I miss out anything.


>From: Jim Reid <jim at mpn.cp.philips.com>
>To: Christine.Tran at East.Sun.COM
>CC: bind-users at isc.org
>Subject: Re: Forwarding to a non-standard port
>Date: Tue, 15 Jun 1999 18:43:27 +0200
>
> >>>>> "Christine" == Christine Tran <Christine.Tran at East.Sun.COM> writes:
>
>     Christine> From a security perspective, is it better to run my
>     Christine> forwarder (intended only for my internal nameservers)
>     Christine> and my external nameserver (publishes only a handful of
>     Christine> hostsnames to outsiders) as two separate named
>     Christine> processes listening on two interfaces?  My forwarder
>     Christine> would do recursion for the internal ns, what's the harm
>     Christine> if outsiders use this service too?  (load, obviously,
>     Christine> but what else?) I can turn off recursion for queries
>     Christine> from outside but it's unfriendly and is it standard
>     Christine> practice these days?
>
>It's definitely better to run two distinct name server processes on
>the baston host, one providing name service to the outside and one for
>the internal network. [You probably don't need/want forwarding on the
>internal name server, but that's another story.]
>
>The outside name server should hold the external naming information
>ONLY and should have recursion disabled. That way it can only tell the
>outside world about the things it already knows: the stuff you want to
>let the outside world know about your domain. That name server
>probably doesn't need to lookup anything else anyway.
>
>If outsiders can get to the internal name server, they can lookup your
>internal (private?) name space. You probably don't want that. First of
>all, disclosing the contents of the internal name space may well be a
>security/privacy problem. Secondly, queries from the outside could get
>returned names of internal web or mail servers that are unreachable
>from the outside. Finally if the internal name space is visible
>externally, there's no point in implementing split DNS. It's a bit
>like installing an strong lock on your front door and then always
>leaving the key in it.
>


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

More information about the bind-users mailing list