Re: rndc on local host: need named running?

[Tom Browder]

On Tuesday, August 30, 2016, Woodworth, John R <
john.woodwo...@centurylink.com> wrote:
>
> I have a slightly unorthodox view on this which may even offer a bit more
>
> security.  The answers are listed below inline.
>
>  ...

Thanks, John.

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Tom Browder]

On Tuesday, August 30, 2016, Cathy Almond  wrote:

> On 28/08/2016 02:48, Lyle wrote:
> > Use any in the allow stanza.
>
> You'll be using a shared key for this to work anyway, but I'd suggest
> being slightly more paranoid than 'any' in the allow stanza - perhaps
> the address range in which your local machine is to be allocated its
> address?
>

Thanks, Cathy.

Best regards

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: rndc on local host: need named running?

[Woodworth, John R]

> My plan is to have two remote, authoritative name servers
> (master and slave) for my owned domains.  I would like to use rndc
> to control them from my local host.
>
> A couple of questions:

Tom,

I have a slightly unorthodox view on this which may even offer a bit more
security.  The answers are listed below inline.

>
> 1. Does named need to be running on the local host?

No, in fact you don't even need rndc installed locally or a
machine necessarily capable of running rndc.

You can invoke rndc via ssh using ssh keys and best of all the rndc
control port does not need to be exposed to the world.

An example use would be:
  #> ssh user@secrethost rndc reconfig

Which would invoke the 'rndc reconfig' command remotely.

A point of note would be the rndc *version* would also always be
in perfect synchronization with the local version of the server
further lowering the overall LOE (maintenance) for the remote client.


>
> 2. Can I use rndc from my local host which doesn't have a fixed
> ip address?


With this configuration it would not matter the source IP (apart from
ssh configuration).  I would also highly recommend some type of
"role account" to further increase security and minimize risk of
unintentionally allowing elevated privileges.

Most of all, as with any security tool if you are not at least familiar
with ssh and any risks associated, please step cautiously and minimally
familiarize yourself with it or avoid it.  Better safe than sorry.


Regards,
John


>
> Thanks.
>
> Best regards,
>
> -Tom
>

-- THESE ARE THE DROIDS TO WHOM I REFER:

This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Cathy Almond]

On 28/08/2016 02:48, Lyle wrote:
> Use any in the allow stanza.

You'll be using a shared key for this to work anyway, but I'd suggest
being slightly more paranoid than 'any' in the allow stanza - perhaps
the address range in which your local machine is to be allocated its
address?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Lyle]

Use any in the allow stanza.


On 08/27/16 19:54, Tom Browder wrote:
On Saturday, August 27, 2016, Lyle > wrote:


On 08/27/16 10:54, Tom Browder wrote:

https://calomel.org/dynamic_dns_ddns.htmlMy plan is to have two
2. Can I use rndc from my local host which doesn't have a fixed
ip address?


...

Let me Google that for you and the answer is:

https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch03s04.html




Thanks, Lyle. I've seen that, I have the book. But it's not real clear 
to a novice that it works without the remote host knowing the incoming 
ip address.




But I have enough info now to risk putting my name servers on line 
without fear of destroying the dns system of the internet!


Best regards,

-Tom



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Tom Browder]

On Saturday, August 27, 2016, Lyle  wrote:

> On 08/27/16 10:54, Tom Browder wrote:
>
> https://calomel.org/dynamic_dns_ddns.htmlMy plan is to have two
>
> 2. Can I use rndc from my local host which doesn't have a fixed ip address?
>
> ...

> Let me Google that for you and the answer is:
> https://www.safaribooksonline.com/library/view/dns-bind/
> 0596004109/ch03s04.html
>

Thanks, Lyle. I've seen that, I have the book. But it's not real clear to a
novice that it works without the remote host knowing the incoming ip
address.

But I have enough info now to risk putting my name servers on line without
fear of destroying the dns system of the internet!

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Lyle]

On 08/27/16 10:54, Tom Browder wrote:
My plan is to have two remote, authoritative name servers (master and 
slave) for my owned domains.  I would like to use rndc to control them 
from my local host.


A couple of questions:

1. Does named need to be running on the local host?

No.


2. Can I use rndc from my local host which doesn't have a fixed ip 
address?


Let me Google that for you and the answer is:

https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch03s04.html


Thanks.

Best regards,

-Tom


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Tom Browder]

On Saturday, August 27, 2016, Warren Kumari  wrote:

> On Saturday, August 27, 2016, Tom Browder  > wrote:
>
>> My plan is to have two remote, authoritative name servers (master and
>> slave) for my owned domains.  I would like to use rndc to control them from
>> my local host.
>> A couple of questions:
>>
>  ...

Thanks, Warren!

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc on local host: need named running?

[Warren Kumari]

On Saturday, August 27, 2016, Tom Browder  wrote:

> My plan is to have two remote, authoritative name servers (master and
> slave) for my owned domains.  I would like to use rndc to control them from
> my local host.
>
> A couple of questions:
>
> 1. Does named need to be running on the local host?
>


 Nope.



> 2. Can I use rndc from my local host which doesn't have a fixed ip address?
>
>
Yup.

W


> Thanks.
>
> Best regards,
>
> -Tom
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users