On Tuesday 03 December 2002 03:18 pm, vince cagud wrote: > personally, i find djbdns a pain in the ass to configure, like having to > run dnscachex on the LAN IP and tinydns in the localhost IP to have a > recursive and authoritative name serving machine(having internal and > external nameservers).
Well sometimes it's hard to do the right thing, separating the authoritative from the recursive dns server _is_ the right thing to do. http://cr.yp.to/djbdns/separation.html >I guess it's a natural offshoot of having to > change to the bernstein way of doing things. <quote> As stated in the ``DNS and BIND'' book, third edition, ``Securing Your Name Server,'' page 255: Some of your name servers answer nonrecursive queries from other name servers on the Internet, because your name servers appear in NS records delegating your zones to them. ... You should make sure that these servers don't receive any recursive queries (that is, you don't have any resolvers configured to use these servers, and no name servers use them as forwarders). </quote> This is not the Bernstein way, this is the right way. http://www.faqts.com/knowledge_base/view.phtml/aid/8740/fid/699 <quote> Why is it important to separate the caching from the authoritative content server? Firstly, for security reasons - allowing recursion on an authoritative server opens it up to poisoning attacks. See the following URL: http://www.sans.org/infosecFAQ/firewall/DNS_Spoof.htm .... </quote> -Dek Date: 5 Sep 2000 07:34:01 -0000 http://www.isc.org/ml-archives/bind-users/2000/09/msg00086.html > - full (incoming and outgoing) AXFR? Yes, djbdns can transfer arbitrary zones in or out through AXFR. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
