Date: Fri, 3 Dec 1999 21:59:11 +1300 From: kit <kit@hypostasis.com> To: Brent Kearney <brent@kearneys.ca> Cc: questions@FreeBSD.ORG Subject: Re: Internal vs External DNS (2 nameds) Message-ID: <19991203215911.A16629@amethyst.hypostasis.com> In-Reply-To: <19991202144429.A86312@kearneys.ca>; from Brent Kearney on Thu, Dec 02, 1999 at 02:44:29PM -0800 References: <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote:
> On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote:
> > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote:
> > > Hi
> > > I am wanting to run separte DNS for internal and external networks
> > > I have a gateway running 3.3-STABLE and bind 8.1.2
> > > I am considering running 2 copies of named on the one machine to
> > > listen on different interfaces and supply DNS info to differing
> >
> > Good enough. Take care in the configuration files of the two named's
>
> Kit: you should really upgrade to a newer version of BIND - there are
> lots of exploits available for your old version. If you're running
> -STABLE, then it should be easy to upgrade after CVSup'ing your ports
> tree.
Not quite as easy as it could be. I think I need to actually delete all
the previous bind 8.1.2 files and then run make install from ports. Or
do it by hand ;)
Interestingly the ports version with STABLE's 8.1.2 installed puts everything
in /usr/local/sbin and leaves the previous 8.1.2 in /usr/sbin (as of about
8 days ago). It also defaults to /etc/named.conf rather than
/etc/namedb/named.conf as the conf file. Where as with RELEASE and
the 8.1.2 port installed pkg_delete on the 8.1.2 and make on the port
installed everything as I had expected. Of course running named with
explicit conf files gets around part of the problem but I have not yet
checked to see which versions and from which paths it will call the
other programs it uses. 8.1.2 is also not vunerable to the access bug
(and I run it with -u bind -g bind) so access to the machine is not
likely. Mind you having just reread the bind security notices at isc.org
it is vulnerable to more than I thought of the DoS bugs so it's a good thing
that I've got a weekend to make some time in:)
> List at large: can't BIND do both his internal and external networks?
> (i.e., run one copy of BIND for both networks). If so, would the
> information about his internal network still be private, or by adding
> it to his DNS would he be divulging this information?
To run bind to serve different answers to different networks there are
two options.
1. To have separate zones
i.e something like
zone "int.hypostasis.com" {
type master;
file "s/db.internal";
allow-query { localnets; };
zone "hypostasis.com" {
type master;
file "s/db.external";
allow-query { !localnets; all; };
which will all me to access the shared machines by substituting the "int."
into the name.
or
2. Run 2 servers both with the same zone.
This requires
listen-on { 192.168.1.1; };
and
listen-on { 192.168.0.1; };
in the appropriate .conf files, so that the first instance does not
grab all the available interfaces. To make matters interesting I
have 2 lots of nat between me and the world. My connection is ADSL on
an external router/modem which can make the numbers look all to similar.
It's really a question of blocking all I don't want to see with ipfw
Both methods are mentioned in the comp.protocols.tcp-ip.domains FAQ
http://www.intac.com/~cdp/cptd-faq/section5.html#split_DNS
The FreeBSDDiary also has the first method at
http://www.freebsddiary.org/freebsd/privatedns.htm
As and when I'm happy that it's behaving as I expect I'll set it up as
a proper name server and swith my domain to it.
>
> -Brent
--kit
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991203215911.A16629>