*BSD News Article 46215


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nexus.coast.net!simtel!noc.netcom.net!news.sprintlink.net!cam.news.pipex.net!pipex!edi.news.pipex.net!pipex!oleane!jussieu.fr!univ-lyon1.fr!ensta!itesec!sidhe.frmug.fr.net!not-for-mail
From: roberto@keltia.freenix.fr (Ollivier Robert)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Dual DNS
Date: 22 Jun 1995 18:11:54 +0200
Organization: Support The Free UNIX Systems
Lines: 34
Message-ID: <3sc4oa$svf@sidhe.hsc-sec.fr>
References: <1995Jun14.194450.1358@combdyn.com> <1995Jun16.175330.17717@combdyn.com> <3rv3g0$k1e@vishnu.jussieu.fr> <3s3m92$557@bonnie.tcd-dresden.de>
Reply-To: roberto@hsc.fr.net (Ollivier Robert)
NNTP-Posting-Host: sidhe.hsc-sec.fr
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

In article <3s3m92$557@bonnie.tcd-dresden.de>,
J Wunsch <joerg_wunsch@uriah.heep.sax.de> wrote:
> OTOH, i don't see a good reason why you do want to hide the hosts via
> DNS.  You do already hide them via the firewall, and if you are

Some people don't want to publish the topology of their internal network. I
don't think it  interesting (as  sendmail  wil happily show you  the  relay
hosts) but I can respect that.

> paranoid, use a 192.168.* or another not-routed network for the
> internal hosts.  Even though people will be able to resolve the hosts
> from outside, they will get unreachable IP addresses.

I consider as bad taste publishing non  routable addresses. If you're using
RFC-1597 addresses then it should be mandatory to use a double DNS.

> It's also possible to limit zone transfers to the trusted secondaries
> (but i forgot how to do that), just in case you want to prevent

The clause is xfernet in /etc/named.boot but it is AFAIK specific to BIND.

> everybody from running a `ls' command in nslookup (so all you can ask
> DNS is whether a named host is ok or not, but you cannot ask it to
> report all known names).  Of course, the trusted secondaries must
> agree on the same policy.

The  .FR zone is  a good example  of that :  you cannot get the entire zone
from  the  french    primary/seondaries  but   princeton.EDU   will   allow
them... That's too bad.

The double DNS is a cleaner solution to this.
-- 
Ollivier ROBERT  -=-=-  Herve Schauer Consultants -=-=-  roberto@freebsd.org
-=-=-=-=-=- Support The Free UNIX Systems ! FreeBSD Linux NetBSD -=-=-=-=-=-