Doh: Lame server on '' (in ''?) , plus some security stuff.
Lincoln Yeoh
lyeoh at pop.jaring.nospam.my
Wed Mar 22 14:55:49 UTC 2000
On 21 Mar 2000 13:48:51 -0800, Kevin Darcy <kcd at daimlerchrysler.com> wrote:
>> I don't understand what you're trying to do here. Are you going to block your
>> *inside* users from asking about your public domains? If a public domain is a
>I tend to think that a split namespace would be a better way to go, though: get
>that private data off the external box completely!
OK. Here's what I'm trying - firewall with two chrooted nameds ( Ok so
supposedly not a good idea to run DNS on firewall, but then run it
where..).
One external named, one internal.
External DNS:
People from unsecured external network can only do the following things:
1) query for PUBLIC hosts in mydomain.com. Public= hosts they need to know
about.
2) reverse query for IP in my ip range.
NOTHING else.
Internal DNS:
People from internal network can do the following things:
1) recursive query for any hosts - ours, and outside.
2) Maybe zone transfers of internally visible DNS data owned by the
firewall.
The darn tar.gz of the resulting directories takes up 5MB - due to all the
copies of shared libraries (each chrooted dns has it's own environment-
unlike in the HOWTO, where it's shared ).
Will probably have to look at DNScache as an alternative to BIND- looks
interesting.
Cheerio!
Link.
****************************
Reply to: @Spam to
lyeoh at @people at uu.net
pop.jaring.my @
*******************************
More information about the bind-users
mailing list