Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Feb 96 16:12 MET
From:      me@tartufo.muc.ditec.de (Michael Elbel)
To:        roberto@keltia.freenix.fr
Cc:        hackers@freebsd.org
Subject:   Re: An ISP's Wishlist...
Message-ID:  <m0tpGDz-000Pa6C@tartufo.muc.ditec.de>
References:  <Pine.BSF.3.91.960219184854.1181D-100000@nervosa.com> <199602200657.HAA01159@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
In lists.freebsd.hackers you write:

>It seems that invalid opcode said:
>> Why not just run 2 named servers on 2 seperate machines ( 2 total ). The 
>> bastion host would run named, and any name queries to the protected 
>> network would be forwarded to an internal host running the second named 

>There is an easier way. 

>Have two hosts, one  runs the public DNS  server. The second one is running
>the private   DNS  server;  it  has  the   forwarders/slave clause in   the
>named.boot to  resolve  anything it's not primary   or secondary  for.  The
>public DNS machine is of course a _client_ of the private DNS. 

>Flow:

>      ^ server-server flow to resolv external hosts
>      |
>      |
>      |    server-server flow (forwarders)
>   public <----------------------------------    private
>          -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>
>                     client-server flow             ^
>                                                    I client-server flow
>                                                    I
>                                              Internal hosts

>That way, no risk with the public's cache leaking host names.

This way you effectively prevent information about the inside from leaking
out, but you still show ns information about the outside on the inside.
This gives you problems without end with mail clients that resolve
MX-records of outside hosts and try to connect directly to them from
the inside. You have to specially configure *each* *and* *every* machine
running a smtp server to forward mail for the outside to the mail relay.
DIGITAL has a setup like this, which caused me no end of problems for
years.

With my three server approach, I simply put * MX records for both the
. and the de domain into the internal server that point to the mail relay,
and all standard smtp setups work.

The only case I know of, where clients on the inside might actually need
NS information of outside hosts is when you're using socks. In this situation,
you have to make the dual-homed name server visible to the inside, but you
don't use it as the main server.

Michael
-- 
Michael Elbel, DITEC, Muenchen, Germany - me@muc.ditec.de
Fermentation fault (coors dumped)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0tpGDz-000Pa6C>