Groups > comp.protocols.dns.bind > #15733

Re: What is the proper way to delegate to a private / hidden sub-domain?

Path	csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From	"John Levine" <johnl@iecc.com>
Newsgroups	comp.protocols.dns.bind
Subject	Re: What is the proper way to delegate to a private / hidden sub-domain?
Date	6 May 2020 17:38:56 -0400
Organization	Taughannock Networks
Lines	23
Approved	bind-users@lists.isc.org
Message-ID	<mailman.367.1588801131.942.bind-users@lists.isc.org> (permalink)
References	<mailman.364.1588797009.942.bind-users@lists.isc.org> <20200506213857.25B5E18DA617@ary.qy>
NNTP-Posting-Host	lists.isc.org
Mime-Version	1.0
Content-Type	text/plain; charset=utf-8
Content-Transfer-Encoding	8bit
X-Trace	usenet.stanford.edu 1588801145 1762 149.20.1.60 (6 May 2020 21:39:05 GMT)
X-Complaints-To	action@cs.stanford.edu
Cc	gtaylor@tnetconsulting.net
To	bind-users@lists.isc.org
Return-Path	<johnl@iecc.com>
X-Original-To	bind-users@lists.isc.org
Delivered-To	bind-users@lists.isc.org
DKIM-Signature	v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=16d6.5eb32e71.k2005; bh=62IH5vWra0zc7jO4VDWc2vL1Mg2iTuE+cikpWfdC2Ws=; b=qX/k2RMldWG9k3OZOvNxUjKc+GrS5h60DX5OlJyKB37DsaCGoR5jz9oVEE563Px4py3NXy+gdaBKf2JmoeV24tVgjJDHYuqmvw/iwDVwnosEV3g0FrbDICn5zH5zhML3qDt269mivGCAr+aQxtOnG4f1ItlpuDXCvIARiTz5zckBc2EFzMKGeDROBKh7heOrjQNet5QW79rXJYbH1MQnCmQPew7JriDxAw5mViDcPLkLPcr7YSem/X6KYF0yFOy3
In-Reply-To	<mailman.364.1588797009.942.bind-users@lists.isc.org>
X-Headerized	yes
X-Spam-Status	No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version	SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere	bind-users@lists.isc.org
X-Mailman-Version	2.1.29
Precedence	list
List-Id	BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe	<https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive	<https://lists.isc.org/pipermail/bind-users/>
List-Post	<mailto:bind-users@lists.isc.org>
List-Help	<mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe	<https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID	<20200506213857.25B5E18DA617@ary.qy>
Xref	csiph.com comp.protocols.dns.bind:15733

Show key headers only | View raw

In article <mailman.364.1588797009.942.bind-users@lists.isc.org> you write:
>> This really seems like ordinary split horizon DNS.
>
>Please explain what you mean by "split horizon DNS" like I'm a n00b, 
>because obviously my understanding of it differs from what your 
>understanding seems to be.

The DNS server sends different answers depending on the client IP, so
on your internal network it sees the private subdomain, everywhere
else sees a ENT or NXDOMAIN.

If you really have to use physically separate servers for reasons that
you can't explain, I suppose putting the two servers at the same IP
addresss facing different networks could work, although you're asking
for trouble with route leaks anytime someone adjusts a router anywhere
near one or the other.  Remember that with normal anycast all of the
mirrors send identical or at least equivalent answers so the routes
are not a security issue.

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Back to comp.protocols.dns.bind | Previous | Next — Previous in thread | Find similar | Unroll thread

Thread

Re: What is the proper way to delegate to a private / hidden sub-domain? Grant Taylor <gtaylor@tnetconsulting.net> - 2020-05-06 14:29 -0600
  Re: What is the proper way to delegate to a private / hidden sub-domain? "John Levine" <johnl@iecc.com> - 2020-05-06 17:38 -0400

csiph-web