On 2001.07.01, Vineet Kumar <[EMAIL PROTECTED]> wrote: > Also, you need not run 2 separate instances of bind to get the > functionality described below. I can't tell by your description > exactly what access you're allowing to each interface, but mine looks > something like this: > > the Internet can query my server for zones it's authoritative for. > localhost and anyone in the local net can query the server for caching > and forwarding to the ISP's nameservers. It's set up using a > forwarders statement and an allow-recursion statement like this:
That's not exactly what I do. This is more like it: I have hosts a.foo.com, b.foo.com, and c.foo.com on my local LAN. a.foo.com is in my DMZ (visible to the Internet) but b.foo.com and c.foo.com are internal hosts not visible to the Internet. While it's true that I have domain transfers restricted to my slave DNS servers so I don't have to worry about some stranger doing a "ls -d" against my foo.com domain and finding out the names for my other hosts, I don't even want them in the zone file for foo.com that's visible to the outside world. So, I run two instances of BIND ... I set listen-on and allow-query for each so that the external DNS listens on the interface that sits on the DMZ, and the internal DNS listens on the interface that sits behind the firewall. Hosts on the Internet or out in the DMZ can only resolve addresses I choose to publish on the outside. Hosts on my local LAN can resolve all of my hostnames. There's no way of accidentally exposing records as they live in two seperate zone files. Another benefit: I want "a.foo.com" accessed as 1.2.3.4 from the Internet (as that's it's routable IP) but as 10.2.3.4 from a host behind my firewall. With my set-up, I can do this easily. In my external DNS zone file for foo.com, I set the IN A record to point to 1.2.3.4, and in my internal DNS zone file for foo.com, I set the IN A record to point to 10.2.3.4. Really simple. - Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/
