> Andrew Smith wrote: >> >> > Rahul Garg wrote: >> >> >> >> well the problem goes like this- >> >> >> >> i have made my linux m/c as dns server and its domain is linux i >> >> have another windows server and its domain is say windows. >> >> now when a request comes, i want is my linux m/c dns server to >> >> first lookup for linux dns server (with domain linux) and if not >> >> present >> >> then it should look up for windows server(domain shakti) >> >> ie. i should be able to ping to windows serverm/c and its clients >> >> even if >> >> those clients(hosts) are not mentioned as hosts in linux dns >> >> server. >> >> >> >> what i think is , i have to make windows server as slave of linux >> >> server - am i riht? >> >> if yes, then where i have to make changes -on linux m/ c or windows >> >> m/c and what changes?? >> >> >> > --- >> > I'm not entirely clear on the exact setup but I will describe what I >> > would do a particular scenario but this might depend upon the loads >> > of the various servers involved and the actual server daemons >> > running on both the linux & windows servers. >> > >> > Assuming that you are running the linux server as an internet >> > gateway and the Windows Server is at least Windows 2000 server... >> > >> > The easiest thing to do is to run dhcp and dns on Windows 2000 >> > server and have dhcp update dns on the windows server and then on >> > the linux system, have /etc/resolv.conf point first to the windows >> > server. Then you don't need to run named/bind on the linux system at >> > all, don't have to worry about security issues, slave servers etc. >> > Otherwise, you would have to run dns on linux and allow updates from >> > Windows server - not sure why you would want to run slave servers >> > unless your loads are great or you are providing dns services to the >> > public. >> > >> > If you have to expose dns to the public internet, then all bets are >> > off, you will need to become intimate with dns/named/bind because >> > there are so many security issues to deal with. >> > >> > As for your question, you can make either server the slave and the >> > master as both are capable of either role. The questions really are >> > - who is the dns for...the internal lan, the public internet or >> > both? >> > >> > A suggestion for you...get webmin <http://www.webmin.com> as this >> > will make setting up bind a bit easier on linux despite the fact >> > that it writes out very clumsy zone files, they work and simplify >> > the process. >> > >> > Craig >> >> Hmmm, >> well I used to run a Windows NT 4.0 Server DNS server before I got >> into using Linux and the DNS server on Windows NT 4.0 sent a message >> to MS every 45 minutes. >> You trust Microsoft? >> >> So what are the security issues to deal with? >> My computers are still being hit by stupid Windows servers that have >> contracted viruses that Microsoft said most people would not be >> affected by. If you are saying that windows is more secure than Linux
... the line above ... >> then I'd suggest you discuss the mythical virtues of a Microsoft >> Server on some MS list where everone will believe through >> ignorance/misinformation. >> >> DNS and DHCP on Linux are easy to setup. > ---- > I was discussing one particular scenario - it actually is a common one > for me. > > Linux is internet router, Windows server is on internal lan only. > Security of DNS is obviously safer running on the Windows server since > it is only on internal lan and not exposed to the internet. Moreover, > out of the box, Windows 2000 Server / Advanced Server et. al. has > dynamic dns whereas dhcpd supplied by RedHat is not. Yes, there is a > 3.0 version that is dynamic but it is not part of the regular distro. > > I never expose Windows servers to the internet for just the same > reasons that you suggest - or perhaps one simple one, I would be unable > to keep up the maintenance of all the various servers that I maintain > if they were running IIS etc. and connected to the public internet. > > As for the security issues on linux - BIND (named on RH 7.x) has > traditionally been the subject of so many security advisories and > stories on how to prevent / limit the damage to a hacked system from > bind exploits. Since I have had boxes that suffered exploits from this > very issue, I am much more careful about where and how I set up > machines that run BIND. > > Sorry to speak such heresy on this message board but in this one > scenario, I believe it to be easier and safer - other scenarios that > will probably not be the case. At least recognize that I don't suggest > that you port forward reaching the external ip on any ports to this > server. > > Craig Craig, OK, I guess I should have highlighted the word "IF" on the line marked above. I got the impression from your email (and I'm sure most others did) that you were suggesting that Windows is easier and better to use for DNS/DHCP than Linux - again if you are saying that then I'd totally disagree with you! (of course if you cannot access the WIndows machine from the outside net but can access the Linux machine - the windows machine is more secure - but only if he specifically does this - most people wouldn't think to do that) I still don't follow your problem with BIND though. OK - I'll put what I said above in better context ... With Linux, the security advisories/updates may be regular, BUT they exist, they don't try to cover up the truth and you just download them and update your system (or on RedHat you make sure you have the automatic update software running) and as soon as a problem is found and an update is available on RedHat it will be updated. Microsoft - on the other hand - have specifically denied the truth regarding security holes and problems. There are still MANY computers on the net that have the IIS problems and are infected and I'm sure MANY of these believed Microsoft when they said that home users running Windows 2000 did not need to worry about it (which is WRONG since the install default is to install IIS) -- -Cheers -Andrew MS ... if only he hadn't been hang gliding! _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
