time and time again that running "internal" DNS on a LAN has become
increasingly frowned upon, but I guess I'm wondering how it can be avoided
if I want to access local services using a domain name?
As one spokesman for the "DNS is tricky and dangerous" crowd, I don't frown
upon running it inside your LAN as long as there's no possibility of your
internal DNS leaking into the outside world (read: as long as there's no way
for outside hosts to query your Xserve).
Allow me to post to someone else's concurrent DNS thread:
This has been one of my biggest questions about DNS: Everyone warns
you not to pollute outside DNS with internal "bogus" DNS info, but
what are the ways to prevent that?
You mention the obvious: block port 53. What are other things you
should do to make sure that your bogus DNS LAN info, or valid DNS
LAN hosts you have, but only want to be available internally, don't
propagate to the outside world?
Views is another, I guess. What else?
I ask because I don't want to screw things up.
Driving a car is very dangerous too, and you could adversely impact
someone if you're not careful or you don't know what you're doing.
Well this too is one of those "if you have to ask..." questions.
The answer is a very good familiarity with DNS and BIND
configurations brought about by experience. And even experienced
Hostmasters can make serious mistrakes.
The further answer is education, mentoring, working with your
Hostmaster or Senior Network engineers, and reading "DNS & BIND",
"The DNS Cookbook", et al.
Just blocking port 53 is like a bandaid, at best. It may not even
work and may cause you additional problems.
If you're not very familiar with DNS and BIND, the suggestion is
commonly to set up a test bench network of hosts and DNS servers to
play around with. Of course this is often very limiting b/c DNS w/o
and access to the root servers doesn't buy you much. However it is a
good answer for those deploying DNS for intranets only.
In other words, if you're not sure how to drive, stay off the road.
It's not like you can't get someone with experience to host your DNS
for you. Most NSPs provide DNS hosting for their networks gratis. For
those that need hosting, hosting providers abound. In most cases ppl
don't need to or shouldn't be running their DNS locally.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
