3rd party CNAMEs and open recursion
Verne Britton
verne at wvnet.edu
Mon Mar 4 18:43:41 UTC 2013
I have been testing and testing and either just don't see what I'm doing wrong, or have a learning block :-)
current thinking is that a open recursion DNS server is bad, so we want to implement an allow-recursion clause; perhaps even make some views so our local users still recurse while the general public cannot ...
but I am running into a roadblock with our Google Apps cname:
gmail.wvstateu.edu is a cname to ghs.google.com
and bind wants recursion turned on in order to translate it.
(actually we have a number of 3rd party CNAMEs; Google Apps have the most widespread usage)
I thought additional-from-auth would fix it up in a view, but either I do not understand additional-from-auth, or it does not work.
I also played around with a 2nd local server, testing with a forwarding zone as well as a stub zone ... no luck
my most recent testing is with bind 9.8.2 on Oracle Linux 6.3 64bit ... installed via yum from the Oracle Linux repositories (Oracle Linux is very very close if not a duplication, of the Red Hat distribution)
I am starting to read up on RPZ but don't know if that will help any ...
thoughts anyone?
Verne
--------------------------------------------------------------------
Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230
Systems Support Group (in WV, call 1-800-253-1558)
West Virginia Network for FAX: (304) 293-5540
Educational Telecomputing verne at wvnet.edu
837 Chestnut Ridge Road http://myweb.wvnet.edu/~verne
Morgantown, WV 26505 http://www.wvnet.edu
More information about the bind-users
mailing list