Date: Tue, 20 Feb 1996 15:11:06 +0200 (EET) From: Narvi <narvi@haldjas.folklore.ee> To: invalid opcode <coredump@nervosa.com> Cc: Ollivier Robert <roberto@keltia.freenix.fr>, me@gw.muc.ditec.de, hackers@freebsd.org Subject: Re: An ISP's Wishlist... Message-ID: <Pine.BSF.3.91.960220150605.10170B-100000@haldjas.folklore.ee> In-Reply-To: <Pine.BSF.3.91.960219184854.1181D-100000@nervosa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 19 Feb 1996, invalid opcode wrote: > On Mon, 19 Feb 1996, Ollivier Robert wrote: > > > It seems that Narvi said: > > > > I've done this, it wasn't too difficult. I'm now running three > > > > nameds on our firewall bastion, one to serve the inside network > > > > with everything on the outside hidden and a wildcard MX-record > > Why not just run 2 named servers on 2 seperate machines ( 2 total ). The > bastion host would run named, and any name queries to the protected > network would be forwarded to an internal host running the second named > server, which of course, by default (firewalled), only trusts the > bastion host. This way you only run 2 named servers, and protect the > secrecy of the internal hosts. Of course, the only problem I can think > of is the possibility of the bastion named caching the lookups and > outsiders being able to see internal hostnames via the cache. > > == Chris Layne ============================================================= > == coredump@nervosa.com ================= http://www.nervosa.com/~coredump == > > Exactly - having the mutated named is actually an advantage, if you don't have (and can't have) 2 hosts for it, especially if it is cost wise (in terms of time spent on look-ups) to run a caching name server on your bastion host. And if the surrounding net is stupid enough to *have* the internal host names kept secret. Sander.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960220150605.10170B-100000>