Date: Mon, 28 Aug 2006 18:29:47 -0500 From: eculp@bafirst.com To: freebsd-net@freebsd.org Subject: Re: possible patch for implementing split DNS Message-ID: <20060828182947.p8ylw4x48oko00kg@mail.bafirst.com> In-Reply-To: <44F37063.6010302@elischer.org> References: <44EF6E18.6090905@elischer.org> <44F3429F.6050204@FreeBSD.org> <44F344FA.1000408@elischer.org> <20060828195339.GF37035@funkthat.com> <44F362C0.6080309@elischer.org> <44F37063.6010302@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Julian Elischer <julian@elischer.org>: > Julian Elischer wrote: > >> John-Mark Gurney wrote: >> >>> Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700: >>> >>>> ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow >>>> you to specify a different config file >>>> so that you can supply different services to theinside and outside >>>> but it all falls appart >>>> if they still are forced to use the same DNS server and can not >>>> provide a differentiated service >>>> for that reason. >>>> >>> >>> >>> Why not put one of the two in side a jail (I think someone else mentioned >>> this), or chroot'd environment where it can pick up a different >>> resolv.conf? >>> >>> >> >> The very mail you quoted says that I can not put it inside a jail. >> a chroot is slightly less problematical except that they do need to >> share filesystems. >> To make it fully work I need to have /etc nearly all shared along >> with a lot more but I need >> to have different /etc/resolv.conf > > > to expand on this.. imagine a set of 20 or so processes with about 10 or so > channels of communication between each pair of processes, > utilising unix domain sockets, lots of shared files, ip sockets and > sysV opts. > I want some of this rats nest of processes to use a different name > server but not all of them, > without completely breaking any of the thousands of not-so-obvious > connections. > puting them in a chroot or a jail gives me so many possible failure > points my head spins. > > just asking the rsolver to ask a different server seems the simple > and less error prone path. > I would ask the security crew to think about this too as DNS is > important to get right for security, > but I believe it can be done in such a way that it remains secure.. > possibly, by insisting that it remains in /etc but specifying only > the name portion. (for example). hi, julian, I assume that you have seen the following: http://www.howtoforge.com/two_in_one_dns_bind9_views I found it interesting although I haven't had time to give it a try especially since I'm thinking about leaving bind9 for djbdns and ldap2dns even though I've never been crazy about djbdns and family. Good luck, ed > >> >> so, Why NOT make this tunable from the environment? it does not do >> it for SUID processes >> and there are already environment varables that influence name lookup. >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060828182947.p8ylw4x48oko00kg>