From owner-freebsd-net@FreeBSD.ORG Mon Aug 28 22:38:29 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A5F16A4DD; Mon, 28 Aug 2006 22:38:29 +0000 (UTC) (envelope-from prvs=julian=388a75976@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62A9E43D46; Mon, 28 Aug 2006 22:38:28 +0000 (GMT) (envelope-from prvs=julian=388a75976@elischer.org) Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229]) by a50.ironport.com with ESMTP; 28 Aug 2006 15:38:28 -0700 Message-ID: <44F37063.6010302@elischer.org> Date: Mon, 28 Aug 2006 15:38:27 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Julian Elischer References: <44EF6E18.6090905@elischer.org> <44F3429F.6050204@FreeBSD.org> <44F344FA.1000408@elischer.org> <20060828195339.GF37035@funkthat.com> <44F362C0.6080309@elischer.org> In-Reply-To: <44F362C0.6080309@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , John-Mark Gurney , Doug Barton Subject: Re: possible patch for implementing split DNS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 22:38:29 -0000 Julian Elischer wrote: > John-Mark Gurney wrote: > >> Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700: >> >> >>> ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow you >>> to specify a different config file >>> so that you can supply different services to theinside and outside >>> but it all falls appart >>> if they still are forced to use the same DNS server and can not >>> provide a differentiated service >>> for that reason. >>> >> >> >> Why not put one of the two in side a jail (I think someone else >> mentioned >> this), or chroot'd environment where it can pick up a different >> resolv.conf? >> >> >> > > The very mail you quoted says that I can not put it inside a jail. > a chroot is slightly less problematical except that they do need to > share filesystems. > To make it fully work I need to have /etc nearly all shared along with > a lot more but I need > to have different /etc/resolv.conf to expand on this.. imagine a set of 20 or so processes with about 10 or so channels of communication between each pair of processes, utilising unix domain sockets, lots of shared files, ip sockets and sysV opts. I want some of this rats nest of processes to use a different name server but not all of them, without completely breaking any of the thousands of not-so-obvious connections. puting them in a chroot or a jail gives me so many possible failure points my head spins. just asking the rsolver to ask a different server seems the simple and less error prone path. I would ask the security crew to think about this too as DNS is important to get right for security, but I believe it can be done in such a way that it remains secure.. possibly, by insisting that it remains in /etc but specifying only the name portion. (for example). > > so, Why NOT make this tunable from the environment? it does not do it > for SUID processes > and there are already environment varables that influence name lookup. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"