Doh: Lame server on '' (in ''?) , plus some security stuff.

Lincoln Yeoh lyeoh at pop.jaring.nospam.my
Tue Mar 21 17:30:33 UTC 2000 

I have two BIND named servers.
One is "external". The other is "internal" and has forwarder set to the
external.

Things seem to be working (have not hooked up to the Internet yet for
Internet test yet tho). 

But in my syslog I get:
Lame server on '' (in ''?)

Yep, nothing in between the single quotes.

I suspect it's to do with the "." hint/cache zone. What am I doing wrong?
The darn server can't be authoritative for the cache zone right? And if
it's to do with ".", why does it complain about '' and not '.'?

OK: here's how I'm trying to set things up:

External DNS:
Only serves own domain, must not serve other domains up to outsiders- so I
set recurse=no. This should help reduce chances of active DNS poisoning
right? Will turning off the glue thingy help? Must not do zone transfers
too.

Internal DNS:
serves the internal users, but must naturally access the DNS servers
outside on the Internet somehow- I'm trying to use "forwarder" for this,
with forwarder set to the External server. But how do I only allow
recursive queries by internals and at the same time prevent recursive
queries by outsiders? 

To make things even more fun I'm running these servers in a chroot'ed
environment on the same server:
http://www.etherboy.com/dns/chrootdns.html
(but with a few changes: the servers run as named:named and all the files
and directories are set to nobody:nobody 644, maybe should be the other way
round? Or should files+directories be owned by root?)

The servers run and I can query them and get the right answers for local
info - have not the chance to test queries to the Internet yet.

But am I missing something out with the lame server?

The reason I'm doing all this is because BIND seems to be vying with
Sendmail for the Insecurity title. Seems rather strange to me-  shouldn't
BIND be easier to get right than Sendmail? How good is chroot'ing at
securing stuff anyway?

Maybe it's time for someone to do a "Qmail" of BIND. 

I know of a commercial firewall (Cyberguard) with a similar split DNS
configuration and it works pretty well, but I believe they are using their
own named. 

Cheerio,

Link.
****************************
Reply to:     @Spam to
lyeoh at      @people at uu.net
pop.jaring.my @ 
*******************************

More information about the bind-users mailing list