From owner-freebsd-isp Sat Feb 12 12:49:46 2000 Delivered-To: freebsd-isp@freebsd.org Received: from Kitten.mcs.net (Kitten.mcs.com [192.160.127.90]) by builder.freebsd.org (Postfix) with ESMTP id 41A9D3F67 for ; Sat, 12 Feb 2000 12:49:41 -0800 (PST) Received: from mcs.net (dgobe.pr.mcs.net [204.137.234.195]) by Kitten.mcs.net (8.9.3/8.9.3) with ESMTP id OAA69597; Sat, 12 Feb 2000 14:49:29 -0600 (CST) (envelope-from dgobe@mcs.net) Message-ID: <38A5C733.7D748600@mcs.net> Date: Sat, 12 Feb 2000 14:48:51 -0600 From: "David A. Gobeille" X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Richard Martin Cc: freebsd-isp@freebsd.org Subject: Re: DSL firewall and DNS References: <38A506F9.F402F9D@mcs.net> <38A5A67D.47F490D5@origen.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard Martin wrote: > > Setup looks OK > > > 1. When I register "company.com" with a registrar, will > > I be able to use 200.1.2.50 & 51 as my name server > > addresses? > > Short answer is yes, but that leaves you hanging by a thread. It might be > better to have your ISP agree to run their system as a slave and leave yours > as the master. Easy for both of you. > > There is another issue I haven't seen addressed and that is reverse DNS. To > be authoritative for a small section of a network, you must have your ISP > grant you authority in that block. Sorry I have misplaced the RFC, but look > up info on 'Subdomains of in-addr.arpa domains'. Its in the OReilly book, > too. RFC2317 describes in-addr.arpa delegation on non-octet boundaries. I had that in the configuration posted. (but I have not talked with the ISP yet to see if they would delegate that zone) > > Configuration files for named: > > options { > > directory "/etc/namedb"; > > > > forwarders { > > isp's dns server; > > ditto; > > I would suggest adding these options as well > > allow-transfer (your slaves); > fetch-glue no; > allow-recursion (your nets, int and ext); > > to keep from giving away the phone book > > > (other zone files ok) > > > > > zone "2.168.192.in-addr.arpa" { > > type master; > > file "company.com.rev"; > > }; > > This needs to come out. Best to run private network DNS addresses on the > other side of the firewall, or thru hosts, netbios, etc. > > -- > Richard Martin dmartin@origen.com > > OriGen Biomedical Tel: +1 512 474 7278 > 2525 Hartford Rd. Fax: +1 512 708 8522 > Austin, TX 78703 http://www.cardiacdocs.com Thanks for the info. After your reply and some others I think I will have the ISP do all or at least secondary DNS. -- Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message