[TriLUG] Slides from last night's DNS Presentation

Ryan Leathers Ryan.Leathers at globalknowledge.com
Fri Oct 15 17:02:38 EDT 2004


the use of views does not require you to expose anything to the internet.
all you are doing is matching a source address in order to decide which
collection of zone records to use to answer the query.



-----Original Message-----
From: Rick DeNatale [mailto:rick.denatale at gmail.com]
Sent: Friday, October 15, 2004 4:12 PM
To: Triangle Linux Users Group discussion list
Subject: Re: [TriLUG] Slides from last night's DNS Presentation


Another thank you for last night's session.

Apropos the discussion of BIND security, gmail popped in with this
link http://www.circleid.com/article/774_0_1_0_C/ as a "comment" on
this thread.
I thought that some might find it interesting.

I've got a few other thoughts which were provoked by the session.

1) The discussion of black hole lists as interesting, and hit one of
my hot buttons, which is ISPs which use dnsrbls (or rbls in general)
like SpamCop to bounce e-mail rather than as one positive indication
of spam so that a tool like Spamassassin can tag it. Much as I had
spam and junkmail, I'd rather have it delivered and let me and my
tools decide it's junk rather than the postman throughing good mail
away with the bad.  Most rbls have warnings against using them in this
way, but it seems that lots of ISPs ignore them either ignorantly or
even actively feeling that the reduction in load on their servers is
worth thowing away a "few" of their customers' emails.  I got into
running my own local mail server just to avoid problems with this. I'm
amazed at how much spam gets through on my ISP email account only to
be caught by SA.

2) I looked into the view feature of BIND 9, I'm not sure that it's
usable in my situation. My home lan is behind a Netgear NAT router.
I've got a dyndns free dns listing for denhaven2.homeip.net which
resolves (via dyndns.org's name servers to my router's address. Inside
the lan, I run BIND on a linux server which forwards to the router
(which in turn forwards to the name servers it gets from the ISP via
DHCP). Dyndns wildcards the hostnames in my domain, and the NAT router
uses it's virtual server by ports to route to the right machines
inside. My BIND server has a zone for local.denhaven2.homeip.net to
resolve the addresses of machines on the lan. Now views would let me
have names like fred.denhaven2.homeip.net instead of
fred.local.denhaven2.homeip.net, but to do this, I'd need to expose my
name server to the internet right? Dyndns doesn't appear to support
this for an dynamic ip address even if I wanted to pay for it. Does it
even make sense to be thinking about this in the typical home setup
with a single exposed ip address?
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc



More information about the TriLUG mailing list