Forwarding to a non-standard port
Jim Reid
jim at mpn.cp.philips.com
Tue Jun 15 16:43:27 UTC 1999
>>>>> "Christine" == Christine Tran <Christine.Tran at East.Sun.COM> writes:
Christine> From a security perspective, is it better to run my
Christine> forwarder (intended only for my internal nameservers)
Christine> and my external nameserver (publishes only a handful of
Christine> hostsnames to outsiders) as two separate named
Christine> processes listening on two interfaces? My forwarder
Christine> would do recursion for the internal ns, what's the harm
Christine> if outsiders use this service too? (load, obviously,
Christine> but what else?) I can turn off recursion for queries
Christine> from outside but it's unfriendly and is it standard
Christine> practice these days?
It's definitely better to run two distinct name server processes on
the baston host, one providing name service to the outside and one for
the internal network. [You probably don't need/want forwarding on the
internal name server, but that's another story.]
The outside name server should hold the external naming information
ONLY and should have recursion disabled. That way it can only tell the
outside world about the things it already knows: the stuff you want to
let the outside world know about your domain. That name server
probably doesn't need to lookup anything else anyway.
If outsiders can get to the internal name server, they can lookup your
internal (private?) name space. You probably don't want that. First of
all, disclosing the contents of the internal name space may well be a
security/privacy problem. Secondly, queries from the outside could get
returned names of internal web or mail servers that are unreachable
from the outside. Finally if the internal name space is visible
externally, there's no point in implementing split DNS. It's a bit
like installing an strong lock on your front door and then always
leaving the key in it.
More information about the bind-users
mailing list