On 03/13/2013 01:39 PM, Gregory Sloop wrote: >>> If you are doing that, >>> then I suggest you find a different way to operate - the AD DC is the >>> security heart of the network, and should be more protected than that. > GR> My AD DC is not directly connected to the internet. It is > GR> behind an internet gateway router which has 53 open and > GR> routing traffic to/from the BIND server on the AD DC. Nothing unusual > about this. > > GR> The point of the split DNS and views is exactly to prevent > GR> exposing internal network to the outside world. > > Which, to me at least, means that queries from the world are hitting > the BIND server on your AD - which is *exactly* what Andrew was > talking about. > > ...And when someone finds a way to compromise BIND, your AD is also > totally compromised. It's probably a lot easier to burn down and > rebuild a BIND server vs your whole AD infrastructure. > > I guess this whole branch of the discussion is essentially off-topic, > but were I in your shoes, I'd be running a stand-alone BIND server > completely separate from the AD for security as well as simplicity > purposes. [Or moving the "external" DNS services into a service > provider somewhere.] > > ...Or run it in a VM if you have to. Just don't, IMO, run a > world-reachable BIND server as part of AD. > >
I have plenty of installations that are setup running separate DNS machines. Just not this one which is running just for some testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
