LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-15-2004, 08:56 AM   #1
registering
Member
 
Registered: Jun 2003
Location: Florida, USA
Distribution: Drake 10.1 Download
Posts: 182

Rep: Reputation: 30
Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients


Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!
 
Old 06-16-2004, 05:53 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
From a practical point of view, I gotta ask why it's necessary to resolve your internal machines?

There have to be hundreds of different opinions about "how" to use dns, and I have my own preferences as you do, but for me, to have an Internet accessible dns server resolving "non-internet" services seems unnecessary..

To make 'machine1.mydomain.com' resolve to a non-routable network goes against the RFCs..

I rather prefer to install a small dns proxy eg dnsmasq internally to do that, which then uses your bind server as well as external servers to resolve Internet numbers.
A separate hosts file is maintained containing all your local, dmz and dynamic numbers. It can even check dhcp records..

Getting back to Bind..
Have a look at this mailimg list question to get an idea on setting up access control with 'views'
http://marc.theaimsgroup.com/?l=bind...0826202891&w=2
& http://marc.theaimsgroup.com/?l=bind...0874008651&w=2 for a correction..
 
Old 06-16-2004, 07:22 AM   #3
linuxxed
Member
 
Registered: Feb 2004
Posts: 273

Rep: Reputation: 30
Re: Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients

Quote:
Originally posted by registering
Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!
Yep check BIND9 documentaion. You can use "acl" directive or the "view" directive. You can do all sorts of things with BIND. I don;t think you can restrict viewings within a zone. You are better off defining internal and external domains and sticking acls/views.
 
Old 06-16-2004, 07:25 AM   #4
registering
Member
 
Registered: Jun 2003
Location: Florida, USA
Distribution: Drake 10.1 Download
Posts: 182

Original Poster
Rep: Reputation: 30
Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS, Linux doesnt resolve domain names for me ikk Linux - Networking 6 08-28-2005 03:35 PM
Internal Can't Resolve Names bootface Linux - Networking 3 03-21-2005 12:00 PM
Fedora can resolve external hostnames but not internal TheLandofSmeg Linux - Networking 3 02-25-2005 07:57 PM
DNS will not resolve non-domain qualified names arobinson74 Linux - Networking 2 10-25-2004 04:13 PM
how to resolve names to IPs WITHOUT /etc/hosts or DNS iggymac Linux - Networking 11 11-13-2001 10:32 PM


All times are GMT -5. The time now is 08:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration