From owner-freebsd-isp  Sat Feb 12 10:31:20 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130])
	by builder.freebsd.org (Postfix) with ESMTP id 88B263F76
	for <freebsd-isp@FreeBSD.ORG>; Sat, 12 Feb 2000 10:31:07 -0800 (PST)
Received: from origen.com (dubhe.origen [192.168.0.5])
	by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id MAA20277;
	Sat, 12 Feb 2000 12:31:04 -0600 (CST)
	(envelope-from dmartin@origen.com)
Message-ID: <38A5A67D.47F490D5@origen.com>
Date: Sat, 12 Feb 2000 12:29:17 -0600
From: Richard Martin <dmartin@origen.com>
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "David A. Gobeille" <dgobe@mcs.net>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: DSL firewall and DNS
References: <38A506F9.F402F9D@mcs.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Setup looks OK
 
>         1. When I register "company.com" with a registrar, will
>            I be able to use 200.1.2.50 & 51 as my name server
>            addresses? 

Short answer is yes, but that leaves you hanging by a thread.  It might be
better to have your ISP agree to run their system as a slave and leave yours
as the master.  Easy for both of you. 

There is another issue I haven't seen addressed and that is reverse DNS.  To
be authoritative for a small section of a network, you must have your ISP
grant you authority in that block.  Sorry I have misplaced the RFC, but look
up info on 'Subdomains of in-addr.arpa domains'.  Its in the OReilly book,
too.



> Configuration files for named: 
> options {
>         directory "/etc/namedb";
> 
>         forwarders {
>                 isp's dns server;
>                 ditto;

I would suggest adding these options as well

	allow-transfer (your slaves);
	fetch-glue no;
	allow-recursion (your nets, int and ext);

to keep from giving away the phone book
 

(other zone files ok)

> 
> zone "2.168.192.in-addr.arpa" {
>         type master;
>         file "company.com.rev";
> };

This needs to come out.  Best to run private network DNS addresses on the
other side of the firewall, or thru hosts, netbios, etc.


-- 
Richard Martin       dmartin@origen.com

OriGen Biomedical    Tel: +1 512 474 7278
2525 Hartford Rd.    Fax: +1 512 708 8522
Austin, TX 78703     http://www.cardiacdocs.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message