'X-no-archive: yes'

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 19 21:51:41 UTC 2001


If your internal DNS server is only accessible from the inside, you don't need all of those ACLs -- you're not going to be getting external queries
anyway.

On your external server, it is redundant to restrict allow-query and allow-recursion to exactly the same ranges/hosts, since if a host can't even query
you, then there isn't a possibility of recursion.

Rather than have all of your DMZ boxes use your external DNS server, why don't you open things up so they can all run their own caching nameservers and
query Internet names directly? Note that this doesn't imply that they will *answer* queries from the Internet. The caching nameservers could just listen
on the loopback interfaces.

allow-transfer { none; } doesn't really buy you any security in the long run. It just makes your zone contents slightly more obscure, which could attract
the curiosity of a serious hacker just as easily as thwarting the efforts of a casual one.

Since you're forwarding from your internal server to your external one, why open your external server to the whole internal network? Why not just open it
up to the one address that is forwarding to you?

Lastly, you weren't really clear where your authoritative domains were being hosted. Somewhere in the DMZ (??) If at all possible, recursion should be
turned completely *off* on that box.

                                                                                                                                - Kevin

Meg wrote:

> To review this configuration
>
> Tthanks for your comments.............
>
> I have three interfaces: one internet, one internal network and one DMZ.
>
> I have two domain
>
> Domain "test.com"   (external domain)
> Network 192.xx.xx.xx
> IP for external DNS 192.xx.xx.2
>
> To allow any node on the internet only establish a connection with system in the DMZ. The DMZ have web server and primary DNS for de external network.
>
> Domain "abc" (internal domain)
> Network : 10.xx.xx.xx
>
> In internal network have  internal DNS and servers.
>
> Queries for internal hostnames will be answered by the internal DNS, and queries for external hostnames will be forwarded back out to the external DNS.
>
> Internal DNS to forward queries they can't resolve nameservers on the DMZ
>
> Internal DNS server config
>
> acl internals {10/8;}
> acl  externals {192.xx.xx.2 ;} ;
> forward only ;
> forwarders {192.xx.xx.2;};
> allow-query {internals;};
> allow-recursion {internals;};
> ?
> ?
> ?
>
> External DNS server config
>
> acl  internals {10/8;};
> acl external {192.xx.xx.0/24 ;}
> ....
> ....
> ....
> allow-transfer {none}
> allow-query { internals; externals;}
> allow-recursion {internals; externals;}
>
> Find the best deals on the web at AltaVista Shopping!
> http://www.shopping.altavista.com





More information about the bind-users mailing list