Views vs. firewall for simple usage?

Chris Boot bootc at bootc.net
Thu Jun 8 13:30:57 UTC 2006


Ronni Jensen wrote:
> Hi,
>
> I have a little issue, that I hope you can help me enlighten;
>
> Our DNS setup:
> 1 master (on same LAN as slaves)
> 2 slaves (with public IPs NAT'ed through our firewall to their local IP.
> Customers use these as pri/sec dns servers)
>
> The only purpose of this setup is to be authoritative for zones hosted
> by our company, and enable our customers to use the slaves for both
> authoritative and recursive queries.
>
> As I see it, there is no purpose of the headache of working with
> internal and external views in BIND, since it is only our customers on a
> AAA.BBB/20 network that are supposed to query the servers.
>
> Could I just configure BIND with "recursion yes;" (default) and then
> prohibit the access in our firewall to only OUR customers, by allowing
> only AAA.BBB/20 to access ns1 and ns2 on port 53, and deny all other
> networks?
>
> Are there any security risks or other issues in this? I can't see any,
> since only our customers on AAA.BBB/20 are able to query the servers..
>
> With kind regards,
> Ronni
>   
Well if you want your servers to be authoritative for some external 
zones you're going to have to let the world query your server to get at 
those zones. You're best to set up ACLs and only allow your internal 
network + customers to do recursive queries.

Chris



More information about the bind-users mailing list