Re: Securing bind..
<quote who="Karl M. Hegbloom">
> [ The quoted email is dated last December... I hope nobody minds me
> ] [ reviving the conversation. I'm catching up on a few mail
> groups. ]
> {Internal network}----[firewall/gateway router]-+----{Internet}
> |
> +---[Nameserver]
>
> The nameserver is configured to allow recursive queries only from
> hosts coming from inside, through the firewall/gateway router
I don't know about others, I run about maybe 15 or 20 nameservers,
and in all cases, if there is a firewall, I run a dedicated nameserver
for public queries and another for private. My home network
is the most basic setup, my firewall (P3-800 1GB), is also many
other things including NAT/SMTP/IMAP/DNS/ETC. I have 2 copies
of bind running, 1 I have set to bind to 127.0.0.1 and 10.10.10.1 (my
internal addresses), and another copy set to bind to 216.39.174.24(my
external address). Most of this is because there is stuff I have
resolvingon my internal LAN (including stuff that goes accross a vpn to my
work) that I do not want outsiders to resolve.
so, its just easier for me then trying to setup something based
on query source to just bind to an IP that is not routable
past the firewall ..
on my networks at work, I have all machines operating behind
static (1:1) NAT. So if i wanted to i could put a buncha stuff out
there in the wild, but I don't have to route the IP from the internet
to the machine if I don't want to. Cisco's ipnat functions work
quite well. Though they take up a lot of CPU, my 2500s can
just barely keep up with a single t1 going full blast in and out
full duplex, cpu goes to 100%. if its full blast in one direction cpu
is at 50%.
nate
Reply to: