[SPAM]Dynamic DNS on User network & static DNS: synergy problems

Kevin Darcy kcd at daimlerchrysler.com
Thu Jun 24 23:28:46 UTC 2004 

No, this is a resolver function, not a nameserver function. BIND has no 
way to "guess" what domain the user wants appended to its query, nor 
should it be in the business of making such guesses.

IMO, you should never have allowed your users to get used to using 
shortnames in the first place. Shortnames almost invariably lead to 
searchlists, and searchlists are highly inefficient in 
nameserver-infrastructure-resource terms, and can lead to security 
problems too (you think you're connecting to 
bighost.maincampus.company.com, but because of the order of your 
searchlist, you end up connecting to 
bighost.research-lab-with-rogue-internet-connection.company.com instead, 
where someone steals your password and posts it on IRC for laughs).

Trust me: we did the whole shortname/searchlist thing and learned our 
lesson the hard way...

                                                                         
                              - Kevin

scsi wrote:

>Hello,
>
>I am responsible for getting DNS moved over to bind for our
>interoffice DNS servers. We are trying to add functionality to these
>servers so that they will allow dhcp leases (to windows 2000 clients)
>to create dns entries in the users.domain.com zone (i.e. 
>jimmy.users.domain.com). While I have this part working (and reverse
>mappings), it is proving difficult to do somthing else that we
>absolutely need.  In our current scheme windows boxes are just given
>the domain suffix domain.com, so when they go to type in a machine
>name like: iceberg, there box will search domain.com and return with
>iceberg.domain.com which resolves correctly.  However, when I allow
>dhcp to assign users the dns suffix of users.domain.com, they are
>unable to resolve iceberg to iceberg.domain.com.  I know that I can
>include all of the domain.com entries as A records in user.domain.com,
>but this is cumbersome. Also, I know I could manually go to each
>machine (or registry hack) and set them to search other domain
>suffixes.  What I don't know if there is an easy fix for this so I can
>just tell bind to resolve all queries for iceberg (or any other
>machine name) to domain.com instead of duplicating the entries in a
>second zone. I have included my named.conf and both the
>users.domain.zone and domain.zone.  I left out the reverse mapping
>zones, they already work ok. Please Help!
>
>--thanx,
>steve
>
>
>--- named.conf
>
>key mykey {
>        algorithm hmac-md5;
>	        secret "secret";
>};
>
>acl "users"     { 172.16.100.0/24; 127.0.0.1;};
>
>logging {
>	channel "syslog7" {
>		syslog local7;
>		severity info;
>	};
>	category "default" {
>		"syslog7";
>	};
>	};
>
>options {
>	directory "/var/bind";
>
>	// uncomment the following lines to turn on DNS forwarding,
>	// and change the forwarding ip address(es) :
>	forward first;
>	forwarders {
>		198.6.1.1;
>		198.6.1.2;
>		198.6.1.122;
>		198.6.1.144;
>	};
>
>	listen-on-v6 { none; };
>        listen-on { 127.0.0.1; 172.16.100.3; };
>
>	// to allow only specific hosts to use the DNS server:
>	allow-query {"users"; 172.16.1.0/24; };
>
>
>	// if you have problems and are behind a firewall:
>	//query-source address * port 53;
>	pid-file "/var/run/named/named.pid";
>};
>
>
>
>zone "127.in-addr.arpa" {
>	type master;
>	file "pri/127.zone";
>	allow-update { none; };
>	notify no;
>};
>
>zone "domain.com" {
>	type master;
>	file "pri/domain.zone";
>	allow-update { none; };
>	notify no;
>};
>
>zone "users.domain.com" {
>	type master;
>	file "pri/users.domain.zone";
>	allow-update { key mykey ; };
>	notify no;
>};
>
>
>
>#zone "." {
>#	type hint;
>#	forward first;
>#	file "pri/domain.zone"
>#};
>
>#zone "." IN {
>#        type hint;
>#        file "named.root";
>#};
>#zone "." {
>#	type hint;
>#	file "pri/domain.zone";
>#	
>#};
>
>
>
>
>--------users.domain.zone
>
>$ORIGIN .
>$TTL 259200	; 3 days
>users.domain.com	IN SOA	ns1.domain.com. dnsadmin.domain.com. (
>				2004061638 ; serial
>				28800      ; refresh (8 hours)
>				7200       ; retry (2 hours)
>				2419200    ; expire (4 weeks)
>				86400      ; minimum (1 day)
>				)
>			NS	ns1.users.domain.com.
>			MX	10 smtp1.domain.com.
>			MX	20 smtp2.domain.com.
>
>localhost		A	127.0.0.1
>ns1			A	172.16.100.3
>
>
>
>------------- domain.zone
>
>$TTL 3D
>@	IN	SOA	ns1.domain.com. dnsadmin.domain.com	(
>			2004061608	; Serial
>			8H		; Refresh
>			2H		; Retry
>			4W		; Expire
>			1D )		; Minimum TTL 
>;
>					NS	ns1 ;
>					MX	10	smtp1.domain.com ; 
>					MX	20	smtp2.domain.com ;
>;
>
>localhost				A	127.0.0.1
>ns1					A 	172.16.100.3
>
>ta_file					A	172.16.1.36
>svcpix					A	172.16.1.57
>t_a					A	172.16.1.52
>ta-sql					A	172.16.1.38
>ta-sql01				A	172.16.1.38
>ta-webapp				A	172.16.1.38
>ta_master				A	172.16.1.52
>ta_print				A	172.16.1.4
>tadomain				A	172.16.1.7
>talegal					A	172.16.1.41
>utility					A	172.16.1.27
>web					A	172.16.1.56
>www					A	172.16.1.44
>
>
>
>
>  
>

More information about the bind-users mailing list