Doh: Lame server on '' (in ''?) , plus some security stuff.

Lincoln Yeoh lyeoh at
Wed Mar 22 14:55:49 UTC 2000

On 21 Mar 2000 13:48:51 -0800, Kevin Darcy <kcd at> wrote:

>> I don't understand what you're trying to do here. Are you going to block your
>> *inside* users from asking about your public domains? If a public domain is a

>I tend to think that a split namespace would be a better way to go, though: get
>that private data off the external box completely!

OK. Here's what I'm trying - firewall with two chrooted nameds ( Ok so
supposedly not a good idea to run DNS on firewall, but then run it

One external named, one internal.

External DNS:
People from unsecured external network can only do the following things:
1) query for PUBLIC hosts in Public= hosts they need to know
2) reverse query for IP in my ip range.
NOTHING else. 

Internal DNS:
People from internal network can do the following things:
1) recursive query for any hosts - ours, and outside.
2) Maybe zone transfers of internally visible DNS data owned by the

The darn tar.gz of the resulting directories takes up 5MB - due to all the
copies of shared libraries (each chrooted dns has it's own environment-
unlike in the HOWTO, where it's shared ).

Will probably have to look at DNScache as an alternative to BIND- looks

Reply to:     @Spam to
lyeoh at      @people at @ 

More information about the bind-users mailing list