From owner-freebsd-questions Thu Dec 2 16:42:53 1999 Delivered-To: freebsd-questions@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 0304214BCC for ; Thu, 2 Dec 1999 16:42:48 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from localhost.hell.gr (patr530-a066.otenet.gr [195.167.115.66]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id CAA15387 for ; Fri, 3 Dec 1999 02:42:28 +0200 (EET) Received: (qmail 32145 invoked by uid 1001); 3 Dec 1999 00:42:29 -0000 Date: Fri, 3 Dec 1999 02:42:29 +0200 From: d e a t h To: Brent Kearney Cc: questions@freebsd.org Subject: Re: Internal vs External DNS (2 nameds) Message-ID: <19991203024229.C31576@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <19991202144429.A86312@kearneys.ca> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote: > On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote: > > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote: > > > Hi > > > I am wanting to run separte DNS for internal and external networks > > > I have a gateway running 3.3-STABLE and bind 8.1.2 > > > I am considering running 2 copies of named on the one machine to > > > listen on different interfaces and supply DNS info to differing > > > > Good enough. Take care in the configuration files of the two named's > > Kit: you should really upgrade to a newer version of BIND - there are > lots of exploits available for your old version. If you're running > -STABLE, then it should be easy to upgrade after CVSup'ing your ports > tree. > > List at large: can't BIND do both his internal and external networks? > (i.e., run one copy of BIND for both networks). If so, would the > information about his internal network still be private, or by adding > it to his DNS would he be divulging this information? Yes, each zone of named can be configured with an `allow-query' statement that will make it accessible from a set of IPs or subnets. If you don't want anyone from your "external" network to be allowed to do lookups to 10.0.0.0/8 addresses, in your named.conf you can put zone "0.0.10.IN-ADDR.ARPA" { type master; file "primary/localnet-rev"; allow-query { 10.0.0.0/8; 127.0.0.1; }; }; and you're pretty sure that no queries will be sent to this zone from any hosts not listed in allow-query. A combination of allow-query and allow-transfer might make those paranoid of us feel even more `safe' and relaxed ;) Carefully tuned allow-query and allow-transfer lines in all your zones are certainly a Good Thing(TM). Ciao. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message