[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Two minded DNS-Server



This is also known (more properly as split-brained)

It allows you to answer differently for resolution depending on the
'source' interface.

you can map a.example.com -> 10.0.0.1 for queries generated on the
'internal' interface and a.example.com -> 66.233.300.1 (Yes I know that
is not a valid ip :) ) for queries on an external interface.

You do run two named processes, which can make using ndc pretty tricky
(if possible at all) and they bind to whichever interfaces you wish.

Bind 9 is much more flexible in how you handle 'views' in that you can
set something akin to 'acls'

On Fri, Oct 25, 2002 at 09:56:47AM +0300, Togan Muftuoglu wrote:
> * Ingo Doerrie; <ingo@xxxxxxxxxxxxxx> on 25 Oct, 2002 wrote:
> >Hello!
> >
> >What is a "Two Minded DNS-Server"?
> >
> >Who can explain this to me and send a sample config for Bind8-DNS Server 
> >on SuSE 8.0?
> 
> 
> My understanding
> 
> The "Two minded" feature means that there will be (2) named processes 
> running
> on your machine. One daemon will run and answer DNS queries for the external
> interface while the other daemon will answer on the internal interface for 
> the
> private network. This setup helps protect your internal network IP addresses
> and names from being exposed to people out on the Internet.
> 
> Look for Bind9 Howto
> 
> -- 
> 
> Togan Muftuoglu
> Unofficial SuSE FAQ Maintainer
> http://dinamizm.ath.cx
> 
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

-- 
Jeff Graham <suse@xxxxxxxxx> 
GnuPG 1.0.6 Public key #9373D50B (0x9373D50B) certserver.pgp.com
Key fingerprint = 13FA F174 5F18 F3A8 1EFE  6930 B5FE 45BA 9373 D50B

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here