Return to BSD News archive
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nexus.coast.net!simtel!noc.netcom.net!news.sprintlink.net!cam.news.pipex.net!pipex!edi.news.pipex.net!pipex!oleane!jussieu.fr!univ-lyon1.fr!ensta!itesec!sidhe.frmug.fr.net!not-for-mail From: roberto@keltia.freenix.fr (Ollivier Robert) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Dual DNS Date: 22 Jun 1995 18:11:54 +0200 Organization: Support The Free UNIX Systems Lines: 34 Message-ID: <3sc4oa$svf@sidhe.hsc-sec.fr> References: <1995Jun14.194450.1358@combdyn.com> <1995Jun16.175330.17717@combdyn.com> <3rv3g0$k1e@vishnu.jussieu.fr> <3s3m92$557@bonnie.tcd-dresden.de> Reply-To: roberto@hsc.fr.net (Ollivier Robert) NNTP-Posting-Host: sidhe.hsc-sec.fr Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In article <3s3m92$557@bonnie.tcd-dresden.de>, J Wunsch <joerg_wunsch@uriah.heep.sax.de> wrote: > OTOH, i don't see a good reason why you do want to hide the hosts via > DNS. You do already hide them via the firewall, and if you are Some people don't want to publish the topology of their internal network. I don't think it interesting (as sendmail wil happily show you the relay hosts) but I can respect that. > paranoid, use a 192.168.* or another not-routed network for the > internal hosts. Even though people will be able to resolve the hosts > from outside, they will get unreachable IP addresses. I consider as bad taste publishing non routable addresses. If you're using RFC-1597 addresses then it should be mandatory to use a double DNS. > It's also possible to limit zone transfers to the trusted secondaries > (but i forgot how to do that), just in case you want to prevent The clause is xfernet in /etc/named.boot but it is AFAIK specific to BIND. > everybody from running a `ls' command in nslookup (so all you can ask > DNS is whether a named host is ok or not, but you cannot ask it to > report all known names). Of course, the trusted secondaries must > agree on the same policy. The .FR zone is a good example of that : you cannot get the entire zone from the french primary/seondaries but princeton.EDU will allow them... That's too bad. The double DNS is a cleaner solution to this. -- Ollivier ROBERT -=-=- Herve Schauer Consultants -=-=- roberto@freebsd.org -=-=-=-=-=- Support The Free UNIX Systems ! FreeBSD Linux NetBSD -=-=-=-=-=-