Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Dec 1999 21:59:11 +1300
From:      kit <kit@hypostasis.com>
To:        Brent Kearney <brent@kearneys.ca>
Cc:        questions@FreeBSD.ORG
Subject:   Re: Internal vs External DNS (2 nameds)
Message-ID:  <19991203215911.A16629@amethyst.hypostasis.com>
In-Reply-To: <19991202144429.A86312@kearneys.ca>; from Brent Kearney on Thu, Dec 02, 1999 at 02:44:29PM -0800
References:  <19991201225936.B10261@amethyst.hypostasis.com> <19991202123650.C5160@hades.hell.gr> <19991202144429.A86312@kearneys.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 02:44:29PM -0800, Brent Kearney wrote:
> On Thu, Dec 02, 1999 at 12:36:50PM +0200, d e a t h wrote:
> > On Wed, Dec 01, 1999 at 10:59:36PM +1300, Kit wrote:
> > > Hi
> > > I am wanting to run separte DNS for internal and external networks
> > > I have a gateway running 3.3-STABLE and bind 8.1.2
> > > I am considering running 2 copies of named on the one machine to 
> > > listen on different interfaces and supply DNS info to differing 
> > 
> > Good enough.  Take care in the configuration files of the two named's
> 
> Kit: you should really upgrade to a newer version of BIND - there are
> lots of exploits available for your old version.  If you're running
> -STABLE, then it should be easy to upgrade after CVSup'ing your ports
> tree.
Not quite as easy as it could be.  I think I need to actually delete all 
the previous bind 8.1.2 files and then run make install from ports.  Or
do it by hand ;)

Interestingly the ports version with STABLE's 8.1.2 installed puts everything
in /usr/local/sbin and leaves the previous 8.1.2 in /usr/sbin (as of about
8 days ago).  It also defaults to /etc/named.conf rather than 
/etc/namedb/named.conf as the conf file.  Where as with RELEASE and 
the 8.1.2 port installed pkg_delete on the 8.1.2 and make on the port
installed everything as I had expected.  Of course running named with
explicit conf files gets around part of the problem but I have not yet 
checked to see which versions and from which paths it will call the 
other programs it uses.  8.1.2 is also not vunerable to the access bug
(and I run it with -u bind -g bind) so access to the machine is not
likely.  Mind you having just reread the bind security notices at isc.org
it is vulnerable to more than I thought of the DoS bugs so it's a good thing
that I've got a weekend to make some time in:)

 
> List at large: can't BIND do both his internal and external networks? 
> (i.e., run one copy of BIND for both networks).  If so, would the 
> information about his internal network still be private, or by adding
> it to his DNS would he be divulging this information?

To run bind to serve different answers to different networks there are 
two options.  
1. To have separate zones
i.e something like
zone "int.hypostasis.com" {
        type master;
        file "s/db.internal";
        allow-query { localnets; };
zone "hypostasis.com" {
        type master;
        file "s/db.external";
        allow-query { !localnets; all; };
which will all me to access the shared machines by substituting the "int."
into the name.
or
2. Run 2 servers both with the same zone.
This requires 
        listen-on { 192.168.1.1; };
and 
	listen-on { 192.168.0.1; };        
in the appropriate .conf files, so that the first instance does not 
grab all the available interfaces.  To make matters interesting I 
have 2 lots of nat between me and the world.  My connection is ADSL on 
an external router/modem which can make the numbers look all to similar.
It's really a question of blocking all I don't want to see with ipfw

Both methods are mentioned in the comp.protocols.tcp-ip.domains FAQ
http://www.intac.com/~cdp/cptd-faq/section5.html#split_DNS
The FreeBSDDiary also has the first method at
http://www.freebsddiary.org/freebsd/privatedns.htm

As and when I'm happy that it's behaving as I expect I'll set it up as 
a proper name server and swith my domain to it.
> 
> -Brent

--kit



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991203215911.A16629>