From owner-freebsd-security Sun Jan 30 20:25:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id EC3491533E for ; Sun, 30 Jan 2000 20:25:38 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id UAA21380; Sun, 30 Jan 2000 20:48:38 -0800 (PST) Date: Sun, 30 Jan 2000 20:48:38 -0800 From: Alfred Perlstein To: Craig Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: <20000130204837.M13027@fw.wintelcom.net> References: <38962E10.9951FD38@outpost.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <38962E10.9951FD38@outpost.co.nz>; from crh@outpost.co.nz on Mon, Jan 31, 2000 at 04:51:28PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Craig Harding [000130 20:03] wrote: > Brett Glass wrote: > > > Which brings up a question I've had for a long time. When I set up a > > system as a NAT router, I would like to assign names to the internal > > machines (e.g. on 10.x.x.x) so that the POP server and other programs > > that do DNS queries are happy. (It also makes the logs more readable.) > > However, I don't want anyone OUTSIDE to be able to do forward or > > reverse DNS for those machines. Is there an easy way to do this? > > I'm in exactly the same situation on our network. I originally > planned to use two copies of BIND running on the one gateway machine, > each listening on a different interface (1 internal, 1 external), but > with the version of BIND I was using (8.1 I think) I found that this > wasn't possible, contrary to the documentation. > > Instead I just use a second machine as the authoritative nameserver > for all the internal machines. It knows about the local names for > everything on our 192.168.x.x net, and forwards external queries to > the real nameserver, which is visible to the outside world and has > a real IP address. This works satisfactorily, although I would prefer > a more elegant solution. Do a search for my name and this subject and you'll see that I posted some tips on getting recent bind 8.2.2 working on multiple interfaces. The problem stems from the ndc named pipe it uses. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message