From owner-freebsd-hackers Tue Feb 20 05:19:15 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA12288 for hackers-outgoing; Tue, 20 Feb 1996 05:19:15 -0800 (PST) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id FAA12033 for ; Tue, 20 Feb 1996 05:11:50 -0800 (PST) Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id PAA10318; Tue, 20 Feb 1996 15:11:06 +0200 Date: Tue, 20 Feb 1996 15:11:06 +0200 (EET) From: Narvi To: invalid opcode cc: Ollivier Robert , me@gw.muc.ditec.de, hackers@freebsd.org Subject: Re: An ISP's Wishlist... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org Precedence: bulk On Mon, 19 Feb 1996, invalid opcode wrote: > On Mon, 19 Feb 1996, Ollivier Robert wrote: > > > It seems that Narvi said: > > > > I've done this, it wasn't too difficult. I'm now running three > > > > nameds on our firewall bastion, one to serve the inside network > > > > with everything on the outside hidden and a wildcard MX-record > > Why not just run 2 named servers on 2 seperate machines ( 2 total ). The > bastion host would run named, and any name queries to the protected > network would be forwarded to an internal host running the second named > server, which of course, by default (firewalled), only trusts the > bastion host. This way you only run 2 named servers, and protect the > secrecy of the internal hosts. Of course, the only problem I can think > of is the possibility of the bastion named caching the lookups and > outsiders being able to see internal hostnames via the cache. > > == Chris Layne ============================================================= > == coredump@nervosa.com ================= http://www.nervosa.com/~coredump == > > Exactly - having the mutated named is actually an advantage, if you don't have (and can't have) 2 hosts for it, especially if it is cost wise (in terms of time spent on look-ups) to run a caching name server on your bastion host. And if the surrounding net is stupid enough to *have* the internal host names kept secret. Sander.