--- Andrew Buenaventura <[EMAIL PROTECTED]>
wrote:
> it's my DNS server. I found out that daemon is
> running the paranoid copy of
> named.conf which disallows query from addresses
> other than our IP block.
>
> can somebody please bang my keyboard on my head? ;)
This is kinda long but worth the reading
i hope i understand you right
never allow people to use your proxy dns server except
your block or your clients
why?
an explanation:
There are two classes of DNS servers "content and
proxy dns server (the rfc's had this assumption that
dns is one big server and so are the OLD dns sofwares
including bind) modern dns softwares has separate
programs that perform each role
1. content dns server - as the name says it serves dns
content( ie. if you own a domain you use a content dns
server to publish dns information about the domain )
a.1 private content dns servers - as the name says
it's a content server for private (internal) use (ie
for your own company or lan )
a.2 public content dns server - this serves as the
external view of the dns for a domain. this should
listen to an ip reachable by the internet ( ie. eto
yung nilalagay mong nameserver pag nag reregister ka
ng domain )
note: content server don't directly talk to each other
except when doing zone transfers (bind)
2. proxy dns servers - it acts as intermediaries ( i
hope i spelled that right) to dns clients and other
dns servers. dns clients meaning( appalications that
calls gethostbyname()library function )
THEY HANDLE OUTGOING QUERIES. they answer those
queries by getting data that they obtained by sending
one or more queries to dns servers.
a.1 resolving proxy dns server -they talk directly to
content dns servers. they do the query resolution,
taking one or more partial answers from content dns
servers and combining them to a complete answer for
returning to the clients.
a.2 forwarding proxy dns server - it talks to other
proxy dns servers. they do not perform resolution, it
concentrates multiple stream of dns traffic into a
single stream.
you only use forwarding proxy servers where
a. there is an expensive, congestive slow link
between the dns clients and the proxy dns servers
b. Firewall - there is a firewall between the dns
client and the dns proxy server ( you want to reduce
the size of the dns-shaped hole that you want to
knock into the firewall.
forwarding dns servers dont perform resolution
they forward querires to proxy dns servers they are
configured to forward to
note: proxy dns servers are what you put in
/etc/resolv.conf (*nix/linuxes)
Content dns servers and proxy dns server SHOULD NEVER
listen to a single ip.
nobody should have access to your proxy dns server
except you and your clienst why? cause it aint free.
it is like giving free access to your squid PROXY
server.This is like giving free bandwith
scenario:
( exaggerated so you'll see the point )
an isp with a mailing list with million of users has
a peering with your isp the dns admin as clever as he
is tries to reduce load on his proxy dns server and
uses you as his proxy dns server.
1. the clueless isp gets the load ( wasting bandwith
and resources for query resolution ) knowing bind has
no sense of resource control tries to use every
resource of your box the viola bind crashes ( a good
example of denial of service attack) and leaves you
with problems
2. there are other denial of service attack that you
should look at too if other people have access to your
proxy dns server such as cache flooding and query
flooding
-Dek
ONE THING BIND AND DJBDNS CAN WORK TOGETHER
using bind as a content dns server and using dnscache
( part of djbdns package) as a proxy dns server.
it's a good compromise you should look at it
" sorry need to point this out many people are
commiting a common mistake "
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
