Date: Mon, 28 Aug 2006 15:38:27 -0700 From: Julian Elischer <julian@elischer.org> To: Julian Elischer <julian@elischer.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, John-Mark Gurney <gurney_j@resnet.uoregon.edu>, Doug Barton <dougb@freebsd.org> Subject: Re: possible patch for implementing split DNS Message-ID: <44F37063.6010302@elischer.org> In-Reply-To: <44F362C0.6080309@elischer.org> References: <44EF6E18.6090905@elischer.org> <44F3429F.6050204@FreeBSD.org> <44F344FA.1000408@elischer.org> <20060828195339.GF37035@funkthat.com> <44F362C0.6080309@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > John-Mark Gurney wrote: > >> Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700: >> >> >>> ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow you >>> to specify a different config file >>> so that you can supply different services to theinside and outside >>> but it all falls appart >>> if they still are forced to use the same DNS server and can not >>> provide a differentiated service >>> for that reason. >>> >> >> >> Why not put one of the two in side a jail (I think someone else >> mentioned >> this), or chroot'd environment where it can pick up a different >> resolv.conf? >> >> >> > > The very mail you quoted says that I can not put it inside a jail. > a chroot is slightly less problematical except that they do need to > share filesystems. > To make it fully work I need to have /etc nearly all shared along with > a lot more but I need > to have different /etc/resolv.conf to expand on this.. imagine a set of 20 or so processes with about 10 or so channels of communication between each pair of processes, utilising unix domain sockets, lots of shared files, ip sockets and sysV opts. I want some of this rats nest of processes to use a different name server but not all of them, without completely breaking any of the thousands of not-so-obvious connections. puting them in a chroot or a jail gives me so many possible failure points my head spins. just asking the rsolver to ask a different server seems the simple and less error prone path. I would ask the security crew to think about this too as DNS is important to get right for security, but I believe it can be done in such a way that it remains secure.. possibly, by insisting that it remains in /etc but specifying only the name portion. (for example). > > so, Why NOT make this tunable from the environment? it does not do it > for SUID processes > and there are already environment varables that influence name lookup. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F37063.6010302>