Date: Fri, 3 Dec 1999 02:42:29 +0200 From: d e a t h <charon@hades.hell.gr> To: Brent Kearney <brent@kearneys.ca> Cc: questions@freebsd.org Subject: Re: Internal vs External DNS (2 nameds) Message-ID: <19991203024229.C31576@hades.hell.gr> In-Reply-To: <19991202144429.A86312@kearneys.ca> References: <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote:
> On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote:
> > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote:
> > > Hi
> > > I am wanting to run separte DNS for internal and external networks
> > > I have a gateway running 3.3-STABLE and bind 8.1.2
> > > I am considering running 2 copies of named on the one machine to
> > > listen on different interfaces and supply DNS info to differing
> >
> > Good enough. Take care in the configuration files of the two named's
>
> Kit: you should really upgrade to a newer version of BIND - there are
> lots of exploits available for your old version. If you're running
> -STABLE, then it should be easy to upgrade after CVSup'ing your ports
> tree.
>
> List at large: can't BIND do both his internal and external networks?
> (i.e., run one copy of BIND for both networks). If so, would the
> information about his internal network still be private, or by adding
> it to his DNS would he be divulging this information?
Yes, each zone of named can be configured with an `allow-query'
statement that will make it accessible from a set of IPs or subnets.
If you don't want anyone from your "external" network to be allowed to
do lookups to 10.0.0.0/8 addresses, in your named.conf you can put
zone "0.0.10.IN-ADDR.ARPA" {
type master;
file "primary/localnet-rev";
allow-query { 10.0.0.0/8; 127.0.0.1; };
};
and you're pretty sure that no queries will be sent to this zone from
any hosts not listed in allow-query. A combination of allow-query and
allow-transfer might make those paranoid of us feel even more `safe'
and relaxed ;)
Carefully tuned allow-query and allow-transfer lines in all your zones
are certainly a Good Thing(TM).
Ciao.
--
Giorgos Keramidas, <keramida@ceid.upatras.gr>
"What we have to learn to do, we learn by doing." [Aristotle]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991203024229.C31576>