Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Dec 1999 02:42:29 +0200
From:      d e a t h <charon@hades.hell.gr>
To:        Brent Kearney <brent@kearneys.ca>
Cc:        questions@freebsd.org
Subject:   Re: Internal vs External DNS (2 nameds)
Message-ID:  <19991203024229.C31576@hades.hell.gr>
In-Reply-To: <19991202144429.A86312@kearneys.ca>
References:  <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote:
> On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote:
> > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote:
> > > Hi
> > > I am wanting to run separte DNS for internal and external networks
> > > I have a gateway running 3.3-STABLE and bind 8.1.2
> > > I am considering running 2 copies of named on the one machine to 
> > > listen on different interfaces and supply DNS info to differing 
> > 
> > Good enough.  Take care in the configuration files of the two named's
> 
> Kit: you should really upgrade to a newer version of BIND - there are
> lots of exploits available for your old version.  If you're running
> -STABLE, then it should be easy to upgrade after CVSup'ing your ports
> tree.
> 
> List at large: can't BIND do both his internal and external networks? 
> (i.e., run one copy of BIND for both networks).  If so, would the 
> information about his internal network still be private, or by adding
> it to his DNS would he be divulging this information?

Yes, each zone of named can be configured with an `allow-query'
statement that will make it accessible from a set of IPs or subnets.
If you don't want anyone from your "external" network to be allowed to
do lookups to 10.0.0.0/8 addresses, in your named.conf you can put

	zone "0.0.10.IN-ADDR.ARPA" {
	        type master;
	        file "primary/localnet-rev";
	        allow-query { 10.0.0.0/8; 127.0.0.1; };
	};

and you're pretty sure that no queries will be sent to this zone from
any hosts not listed in allow-query.  A combination of allow-query and
allow-transfer might make those paranoid of us feel even more `safe'
and relaxed ;)

Carefully tuned allow-query and allow-transfer lines in all your zones
are certainly a Good Thing(TM).

Ciao.

-- 
Giorgos Keramidas, <keramida@ceid.upatras.gr>
"What we have to learn to do, we learn by doing." [Aristotle]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991203024229.C31576>