[svlug] Bind Vulnerabilities

Dagmar d'Surreal dagmar at dsurreal.org
Sun Mar 25 02:56:01 PST 2001

On Sun, 25 Mar 2001, Drew Bertola wrote:

> Dagmar d'Surreal writes:
> > One nice thing that _is_ in BIND 9.x is their "views" stuff.  
> > Adminstrators of nameservers cursed with departments who insist on having
> > intranet hosts living in the same namespace as internet hosts and only one
> > server to do it on will be able to essentially have different namespaces
> > without having to run multiple daemons on multiple interfaces.
> Seems like this is just the thing for my firewall/router/dns/webserver
> box.  I only have one static IP, so my internal network is all
> 192.168.x.y and I don't want my DNS server broadcasting what my
> internal stuff.  I guess from the outside, I'll offer a view of all
> public domain info, while from the inside, there'll be a view of both
> public and my private domains.  Cool.  All from one DNS box.

You might not actually need to go to BIND 9.x to do that.  If you've
actually got private _domains_ that are entirely separate from your public
ones one can still restrict queries to zones (granularity of whole zones
only tho) with ACLs in 8.x.

Generic example:

acl this-machine {;

acl private-networks {;;;

zone "kung.foo" in {
        type master;
        file "zone/kung.foo";
        allow-query { this-machine; private-networks; };
        allow-transfer { this-machine; private-networks; };

Really easy stuff to use and maintain once you get used to it.

More information about the svlug mailing list