On Thu, 26 Jun 2003, Peters, Michael D. wrote:
> I have the internal DNS servers naturally. I have the public DNS servers
> also. My question is this:
> Should I point the resolv.conf on my public servers at the LAN DNS addresses
> or to look to only at their own address? Is there any security arguments for
> or against pointing at the LAN DNS in the resolv.conf?
What "view" do the local "clients" (your public DNS servers) need?
While they're public servers serving public data, if they're on the local
LAN, they most likely need to know about the local DNS scope. As such,
resolv.conf would point to the internal servers. Then hostnames for
things like NFS mounts will work via internal DNS, but named will still
serve the limited public data to the world. Also, if NAT is involved...
You almost certainly want the RFC1918 addresses on the public servers to
resolve properly forward and reverse, but the real public addresses as the
Internet sees them aren't on the LAN... So, again, I think you want to
resolve things in terms of your internal scope even though you're serving
something else.
If all the servers are on the same LAN, that's enough of a security risk
in itself. Having config files that point to other local machines isn't
much of a risk. OTOH, if your public DNS servers are in a DMZ... You'll
need to review local policy and determine if allowing communication
between DMZ and internal hosts is allowed.
-mrh
--
From: "Spam Catcher" <spam-catcher@xxxxxxxxx>
To: spam-catcher@xxxxxxxxx
Do NOT send email to the address listed above or
you will be added to a blacklist!
|
