Re: Using BIND in a chroot enviro?

To: Vineet Kumar <debian-security@virtual.doorstop.net>
Cc: debian-security@lists.debian.org
Subject: Re: Using BIND in a chroot enviro?
From: Dossy <dossy@panoptic.com>
Date: Mon, 2 Jul 2001 06:44:48 -0400
Message-id: <[🔎] 20010702064448.A13451@panoptic.com>
Mail-followup-to: Dossy <dossy@panoptic.com>, Vineet Kumar <debian-security@virtual.doorstop.net>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20010701222933.A4800@doorstop.net>

On 2001.07.01, Vineet Kumar <debian-security@virtual.doorstop.net> wrote:
> Also, you need not run 2 separate instances of bind to get the
> functionality described below. I can't tell by your description
> exactly what access you're allowing to each interface, but mine looks
> something like this:
> 
> the Internet can query my server for zones it's authoritative for.
> localhost and anyone in the local net can query the server for caching
> and forwarding to the ISP's nameservers. It's set up using a
> forwarders statement and an allow-recursion statement like this:

That's not exactly what I do.  This is more like it:

I have hosts a.foo.com, b.foo.com, and c.foo.com on my local
LAN.  a.foo.com is in my DMZ (visible to the Internet) but
b.foo.com and c.foo.com are internal hosts not visible to
the Internet.  While it's true that I have domain transfers
restricted to my slave DNS servers so I don't have to worry
about some stranger doing a "ls -d" against my foo.com domain
and finding out the names for my other hosts, I don't even
want them in the zone file for foo.com that's visible to
the outside world.

So, I run two instances of BIND ... I set listen-on and
allow-query for each so that the external DNS listens on
the interface that sits on the DMZ, and the internal DNS
listens on the interface that sits behind the firewall.

Hosts on the Internet or out in the DMZ can only resolve
addresses I choose to publish on the outside.  Hosts on
my local LAN can resolve all of my hostnames.  There's no
way of accidentally exposing records as they live in two
seperate zone files.

Another benefit:  I want "a.foo.com" accessed as 1.2.3.4
from the Internet (as that's it's routable IP) but
as 10.2.3.4 from a host behind my firewall.  With my
set-up, I can do this easily.  In my external DNS zone
file for foo.com, I set the IN A record to point to
1.2.3.4, and in my internal DNS zone file for foo.com,
I set the IN A record to point to 10.2.3.4.  Really
simple.

- Dossy

-- 
Dossy Shiobara                       mail: dossy@panoptic.com 
Panoptic Computer Network             web: http://www.panoptic.com/

Reply to:

References:
- Re: Using BIND in a chroot enviro?
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: Re: [security] Re: Using BIND in a chroot enviro?
Next by Date: Re: ipchains
Previous by thread: Re: Using BIND in a chroot enviro?
Next by thread: Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread