[svlug] Bind Vulnerabilities

Dagmar d'Surreal dagmar at dsurreal.org
Sun Mar 25 02:56:01 PST 2001


On Sun, 25 Mar 2001, Drew Bertola wrote:

> Dagmar d'Surreal writes:
> > One nice thing that _is_ in BIND 9.x is their "views" stuff.  
> > Adminstrators of nameservers cursed with departments who insist on having
> > intranet hosts living in the same namespace as internet hosts and only one
> > server to do it on will be able to essentially have different namespaces
> > without having to run multiple daemons on multiple interfaces.
> 
> Seems like this is just the thing for my firewall/router/dns/webserver
> box.  I only have one static IP, so my internal network is all
> 192.168.x.y and I don't want my DNS server broadcasting what my
> internal stuff.  I guess from the outside, I'll offer a view of all
> public domain info, while from the inside, there'll be a view of both
> public and my private domains.  Cool.  All from one DNS box.

You might not actually need to go to BIND 9.x to do that.  If you've
actually got private _domains_ that are entirely separate from your public
ones one can still restrict queries to zones (granularity of whole zones
only tho) with ACLs in 8.x.

Generic example:

acl this-machine {
	127.0.0.1;
};

acl private-networks {
        10.0.0.0/8;
	172.16.0.0/12;
	192.168.0.0/16;
};

zone "kung.foo" in {
        type master;
        file "zone/kung.foo";
        allow-query { this-machine; private-networks; };
        allow-transfer { this-machine; private-networks; };
};

Really easy stuff to use and maintain once you get used to it.





More information about the svlug mailing list