[PLUG] DNS inside/outside configuration?

Ed Sawicki ed at alcpress.com
Tue Apr 8 11:13:01 UTC 2003


On Mon, 2003-04-07 at 18:28, Russell Senior wrote:
> >>>>> "Ed" == Ed Sawicki <ed at alcpress.com> writes:
> 
> Ed> If you use views, you only consume one IP address. If you run two
> Ed> DNS daemons, you use two IP addresses - since both need to use UDP
> Ed> port 53.
> 
> That's okay, I've got at least ... er, lets see, 192.168.0.0 to
> 192.168.255.255, uh 2 carry the four, uh, 65536 to work with. ;-).

I keep forgetting that most people have no need to have their
recursive name servers available to the outside as I do.



> Ed> Of course, if you use the same BIND daemon for both your authority
> Ed> server and your recursive name server, you run the risk of cache
> Ed> poisoning. The best solution (with BIND) is to run two BIND
> Ed> daemons (one in a UML if you choose) and have one devoted to the
> Ed> authority server function using views for inside/outside
> Ed> answers. The other is your recursive name server.
> 
> I guess Bind can do that too:
> 
>   view "internal" {
>      recursion yes;
>   };
> 
>   view "external" {
>      recursion no;
>   };

That should do it if it works as advertised. I'm still nervous
about one daemon handling both functions so I usually separate
them, have them run as non-root, and chroot them to their own
directories. Paranoid? Maybe.

 
-- 
Ed Sawicki <ed at alcpress.com>
ALC





More information about the PLUG mailing list