From owner-freebsd-net@FreeBSD.ORG Mon Aug 28 23:29:49 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11D0316A4DE for ; Mon, 28 Aug 2006 23:29:49 +0000 (UTC) (envelope-from eculp@bafirst.com) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 997BF43D45 for ; Mon, 28 Aug 2006 23:29:48 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by 72-12-2-214.wan.networktel.net with local; Mon, 28 Aug 2006 18:29:47 -0500 id 00095805.44F37C6B.00008F61 Received: from local2.local.net (local2.local.net [192.168.1.2]) by mail.bafirst.com (Horde MIME library) with HTTP; Mon, 28 Aug 2006 18:29:47 -0500 Message-ID: <20060828182947.p8ylw4x48oko00kg@mail.bafirst.com> Date: Mon, 28 Aug 2006 18:29:47 -0500 From: eculp@bafirst.com To: freebsd-net@freebsd.org References: <44EF6E18.6090905@elischer.org> <44F3429F.6050204@FreeBSD.org> <44F344FA.1000408@elischer.org> <20060828195339.GF37035@funkthat.com> <44F362C0.6080309@elischer.org> <44F37063.6010302@elischer.org> In-Reply-To: <44F37063.6010302@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: possible patch for implementing split DNS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 23:29:49 -0000 Quoting Julian Elischer : > Julian Elischer wrote: > >> John-Mark Gurney wrote: >> >>> Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700: >>> >>>> ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow >>>> you to specify a different config file >>>> so that you can supply different services to theinside and outside >>>> but it all falls appart >>>> if they still are forced to use the same DNS server and can not >>>> provide a differentiated service >>>> for that reason. >>>> >>> >>> >>> Why not put one of the two in side a jail (I think someone else mentioned >>> this), or chroot'd environment where it can pick up a different >>> resolv.conf? >>> >>> >> >> The very mail you quoted says that I can not put it inside a jail. >> a chroot is slightly less problematical except that they do need to >> share filesystems. >> To make it fully work I need to have /etc nearly all shared along >> with a lot more but I need >> to have different /etc/resolv.conf > > > to expand on this.. imagine a set of 20 or so processes with about 10 or so > channels of communication between each pair of processes, > utilising unix domain sockets, lots of shared files, ip sockets and > sysV opts. > I want some of this rats nest of processes to use a different name > server but not all of them, > without completely breaking any of the thousands of not-so-obvious > connections. > puting them in a chroot or a jail gives me so many possible failure > points my head spins. > > just asking the rsolver to ask a different server seems the simple > and less error prone path. > I would ask the security crew to think about this too as DNS is > important to get right for security, > but I believe it can be done in such a way that it remains secure.. > possibly, by insisting that it remains in /etc but specifying only > the name portion. (for example). hi, julian, I assume that you have seen the following: http://www.howtoforge.com/two_in_one_dns_bind9_views I found it interesting although I haven't had time to give it a try especially since I'm thinking about leaving bind9 for djbdns and ldap2dns even though I've never been crazy about djbdns and family. Good luck, ed > >> >> so, Why NOT make this tunable from the environment? it does not do >> it for SUID processes >> and there are already environment varables that influence name lookup. >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >