Doh: Lame server on '' (in ''?) , plus some security stuff.

Tue Mar 21 18:21:34 UTC 2000

In article <38d7aab5.9267855 at nntp.jaring.my>,
Lincoln Yeoh <lyeoh at pop.jaring.nospam.my> wrote:
>I have two BIND named servers.
>One is "external". The other is "internal" and has forwarder set to the
>external.
>
>Things seem to be working (have not hooked up to the Internet yet for
>Internet test yet tho). 
>
>But in my syslog I get:

Is this on the internal or external?

>Lame server on '' (in ''?)
>
>Yep, nothing in between the single quotes.
>
>I suspect it's to do with the "." hint/cache zone. What am I doing wrong?

Since you're not hooked up to the Internet, you're not able to get the
authoritative list of root servers from one of the root servers, so they
all seem lame.

>The darn server can't be authoritative for the cache zone right? And if
>it's to do with ".", why does it complain about '' and not '.'?

Because the code that displays domain names always leaves off the last "."
in the fully-qualified name.  When you do that with the "." domain, you get
"".  The code should probably check for this special case and display '.',
but it doesn't.

>OK: here's how I'm trying to set things up:
>
>External DNS:
>Only serves own domain, must not serve other domains up to outsiders- so I
>set recurse=no. This should help reduce chances of active DNS poisoning
>right? Will turning off the glue thingy help? Must not do zone transfers
>too.

If the internal server is forwarding to the external, the external needs to
allow recursion.  You can use the "allow-recursion" option to specify that
only recursive queries from the internal server should be processed.

>Internal DNS:
>serves the internal users, but must naturally access the DNS servers
>outside on the Internet somehow- I'm trying to use "forwarder" for this,
>with forwarder set to the External server. But how do I only allow
>recursive queries by internals and at the same time prevent recursive
>queries by outsiders? 

Like I said above, the "allow-recursion" option.

>The reason I'm doing all this is because BIND seems to be vying with
>Sendmail for the Insecurity title. Seems rather strange to me-  shouldn't
>BIND be easier to get right than Sendmail? How good is chroot'ing at

I've heard of far more security bugs in sendmail than BIND.  But they're
both pretty complex, and buffer overruns occasionally get found.  Most of
BIND's security problems haven't been of the type that allow root access,
but just things like cache poisoning (because it's fairly easy to spoof DNS
replies).

>securing stuff anyway?

Pretty good.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.