[NTLUG:Discuss] Dynamic Clients & BIND
Bryan J. Smith
b.j.smith at ieee.org
Wed Oct 6 08:08:58 CDT 2004
On Wed, 2004-10-06 at 07:02, Stephen Davidson wrote:
> Nope, and that's my problem. Ran a sniffer on the segment, and client
> does send packets to dns server asking for addresses. Just, the BIND
> does not resolve/return any info. Maybe I am missing something in my
> Bind/named.conf configurations?
Possibly forwarder lines?
BTW, for security (and performance) reasons, I _neither_ distribute the
names of public DNS servers in DHCP nor set them directly on static IP
LAN nodes. I _always_ set all internal nodes to resolve to internal DNS
servers. Those internal DNS servers are then the _only_ systems allowed
to resolve public DNS names by the firewall.
It has several advantages:
- No outgoing domain (port 53) traffic except for a couple of systems
(this was a bigger deal back when firewalls were stateless)
- Internal DNS names are never sent for resolution outside the LAN
(which is possible if an internal DNS server fails to resolve, I
don't want the internal systems looking outside for a name)
- All public DNS names are cached at a couple of systems
(this was a bigger deal with older Windows kernels that lacked a
resolver cache)
- I can list an endless number of DNS servers
(no limit, unlike some clients or DHCP that have a limit)
-- Bryan
P.S. I use the public caching DNS servers of several major telecos in
my forwarder lines. One is UUNet at 198.6.1.2 and 198.6.1.3, which
never seem to be unavailable and never go down. I _always_ set those in
additional to any others I can find, they are a great "fall back" at the
internal DNS server.
--
Bryan J. Smith b.j.smith at ieee.org
------------------------------------------------------------------
"Communities don't have rights. Only individuals in the community
have rights. ... That idea of community rights is firmly rooted
in the 'Communist Manifesto.'" -- Michael Badnarik
More information about the Discuss
mailing list