From owner-freebsd-questions Fri Dec 3 0:50:40 1999 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.hypostasis.com. (smtp.hypostasis.com [210.55.57.17]) by hub.freebsd.org (Postfix) with ESMTP id A93C014C57 for ; Fri, 3 Dec 1999 00:50:34 -0800 (PST) (envelope-from kit@hypostasis.com) Received: from amethyst.hypostasis.com (amethyst.hypostasis.com [192.168.2.2]) by smtp.hypostasis.com. (8.9.3/8.9.2) with ESMTP id VAA12490; Fri, 3 Dec 1999 21:44:19 +1300 (NZDT) (envelope-from kit@amethyst.hypostasis.com) Received: (from kit@localhost) by amethyst.hypostasis.com (8.9.3/8.9.2) id VAA16739; Fri, 3 Dec 1999 21:59:12 +1300 (NZDT) (envelope-from kit) Date: Fri, 3 Dec 1999 21:59:11 +1300 From: kit To: Brent Kearney Cc: questions@FreeBSD.ORG Subject: Re: Internal vs External DNS (2 nameds) Message-ID: <19991203215911.A16629@amethyst.hypostasis.com> References: <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <19991202144429.A86312@kearneys.ca>; from Brent Kearney on Thu, Dec 02, 1999 at 02:44:29PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote: > On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote: > > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote: > > > Hi > > > I am wanting to run separte DNS for internal and external networks > > > I have a gateway running 3.3-STABLE and bind 8.1.2 > > > I am considering running 2 copies of named on the one machine to > > > listen on different interfaces and supply DNS info to differing > > > > Good enough. Take care in the configuration files of the two named's > > Kit: you should really upgrade to a newer version of BIND - there are > lots of exploits available for your old version. If you're running > -STABLE, then it should be easy to upgrade after CVSup'ing your ports > tree. Not quite as easy as it could be. I think I need to actually delete all the previous bind 8.1.2 files and then run make install from ports. Or do it by hand ;) Interestingly the ports version with STABLE's 8.1.2 installed puts everything in /usr/local/sbin and leaves the previous 8.1.2 in /usr/sbin (as of about 8 days ago). It also defaults to /etc/named.conf rather than /etc/namedb/named.conf as the conf file. Where as with RELEASE and the 8.1.2 port installed pkg_delete on the 8.1.2 and make on the port installed everything as I had expected. Of course running named with explicit conf files gets around part of the problem but I have not yet checked to see which versions and from which paths it will call the other programs it uses. 8.1.2 is also not vunerable to the access bug (and I run it with -u bind -g bind) so access to the machine is not likely. Mind you having just reread the bind security notices at isc.org it is vulnerable to more than I thought of the DoS bugs so it's a good thing that I've got a weekend to make some time in:) > List at large: can't BIND do both his internal and external networks? > (i.e., run one copy of BIND for both networks). If so, would the > information about his internal network still be private, or by adding > it to his DNS would he be divulging this information? To run bind to serve different answers to different networks there are two options. 1. To have separate zones i.e something like zone "int.hypostasis.com" { type master; file "s/db.internal"; allow-query { localnets; }; zone "hypostasis.com" { type master; file "s/db.external"; allow-query { !localnets; all; }; which will all me to access the shared machines by substituting the "int." into the name. or 2. Run 2 servers both with the same zone. This requires listen-on { 192.168.1.1; }; and listen-on { 192.168.0.1; }; in the appropriate .conf files, so that the first instance does not grab all the available interfaces. To make matters interesting I have 2 lots of nat between me and the world. My connection is ADSL on an external router/modem which can make the numbers look all to similar. It's really a question of blocking all I don't want to see with ipfw Both methods are mentioned in the comp.protocols.tcp-ip.domains FAQ http://www.intac.com/~cdp/cptd-faq/section5.html#split_DNS The FreeBSDDiary also has the first method at http://www.freebsddiary.org/freebsd/privatedns.htm As and when I'm happy that it's behaving as I expect I'll set it up as a proper name server and swith my domain to it. > > -Brent --kit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message