Date: Fri, 3 Dec 1999 02:42:29 +0200 From: d e a t h <charon@hades.hell.gr> To: Brent Kearney <brent@kearneys.ca> Cc: questions@freebsd.org Subject: Re: Internal vs External DNS (2 nameds) Message-ID: <19991203024229.C31576@hades.hell.gr> In-Reply-To: <19991202144429.A86312@kearneys.ca> References: <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote: > On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote: > > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote: > > > Hi > > > I am wanting to run separte DNS for internal and external networks > > > I have a gateway running 3.3-STABLE and bind 8.1.2 > > > I am considering running 2 copies of named on the one machine to > > > listen on different interfaces and supply DNS info to differing > > > > Good enough. Take care in the configuration files of the two named's > > Kit: you should really upgrade to a newer version of BIND - there are > lots of exploits available for your old version. If you're running > -STABLE, then it should be easy to upgrade after CVSup'ing your ports > tree. > > List at large: can't BIND do both his internal and external networks? > (i.e., run one copy of BIND for both networks). If so, would the > information about his internal network still be private, or by adding > it to his DNS would he be divulging this information? Yes, each zone of named can be configured with an `allow-query' statement that will make it accessible from a set of IPs or subnets. If you don't want anyone from your "external" network to be allowed to do lookups to 10.0.0.0/8 addresses, in your named.conf you can put zone "0.0.10.IN-ADDR.ARPA" { type master; file "primary/localnet-rev"; allow-query { 10.0.0.0/8; 127.0.0.1; }; }; and you're pretty sure that no queries will be sent to this zone from any hosts not listed in allow-query. A combination of allow-query and allow-transfer might make those paranoid of us feel even more `safe' and relaxed ;) Carefully tuned allow-query and allow-transfer lines in all your zones are certainly a Good Thing(TM). Ciao. -- Giorgos Keramidas, <keramida@ceid.upatras.gr> "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991203024229.C31576>