2 Questions - forward zone and DNS firewalling
Grant Taylor
gtaylor at tnetconsulting.net
Thu Oct 25 21:57:48 UTC 2018
On 10/25/18 2:34 PM, N6Ghost wrote:
> I want to move a core namespace to the load balancer but i want them to
> let me assign them a new zone thats internally authoritative and use it
> as the LB domain.
>
> which would be:
> cname name.domain.com -> newname.newzone.domain.com
>
> they want:
> cname name.domain.com -> newname.oldzone.domain.com
>
> old zone is directly delagated from outside to them so we need an
> internal forward zone for it. i dont want to rely on that.
Can I ask why you don't like forwarded zones?
Is it a possibility to slave the zone off of them instead of forwarding
to them?
> any thoughts on this? what can i use to present to management to win
> this?
I think it comes down to pros and cons of each: existing zone +
forwarders vs new zone.
IMHO it's perfectly fine to have dislikes. You just need to be able to
explain them and / or set them aside if someone explains their position
better.
> next, we where a bind shop but switched to infoblox for some stuff and
> now out grew it. and are going back to bind.
>
> but we started using the dns firewall part of it and they actually
> really liked it. any ideas for domain blacklisting? via some sort of
> feed etc? what is everyone doing for that sort of thing?
Response Policy Zone(s) are what you want. I thought that's how
Infoblox did it themselves. Maybe they were using the newer Response
Policy Service. - It's my understanding that the RPS API is open and
documented. It's just that there aren't any Open Source / free RPS
services.
IMHO: RPS is similar to milter for Sendmail or WCCP for caching proxies.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181025/3e383fed/attachment-0001.bin>
More information about the bind-users
mailing list