Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15736
| Path | csiph.com!weretis.net!feeder7.news.weretis.net!paganini.bofh.team!news.killfile.org!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Grant Taylor <gtaylor@tnetconsulting.net> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: What is the proper way to delegate to a private / hidden sub-domain? |
| Date | Wed, 6 May 2020 16:04:31 -0600 |
| Lines | 153 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.370.1588802665.942.bind-users@lists.isc.org> (permalink) |
| References | <20200506213857.25B5E18DA617@ary.qy> <aa10c9ff-e950-2be7-d746-bd3e1db7457c@tnetconsulting.net> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040701080402060900040901" |
| X-Trace | usenet.stanford.edu 1588802679 3295 149.20.1.60 (6 May 2020 22:04:39 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <gtaylor@tnetconsulting.net> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2019; t=1588802673; bh=Y3L30vErV1k230A2P0+f7yFDZ1t/deD7ZdBzniCLu9o=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=IcgtHwsSsAHXqcP3ANQne3Zd0hfO2GIXnxaFIEvysAvBtepEU0EmNiMeuy5Yu6z0r QL+mH7yiVewhsTjNqRrQJfrjXDu9rj/htEYtVGe6gZhQEj4OYeFOnsIMeHRzJ1eid0 ij0mcRxYLiBr+MllejRRKI7eNWXizpyJOvqMxDT4= |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 |
| In-Reply-To | <20200506213857.25B5E18DA617@ary.qy> |
| X-Spam-Status | No, score=-2.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,GPG_SIGNED,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <aa10c9ff-e950-2be7-d746-bd3e1db7457c@tnetconsulting.net> |
| X-Mailman-Original-References | <20200506213857.25B5E18DA617@ary.qy> |
| Xref | csiph.com comp.protocols.dns.bind:15736 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
On 5/6/20 3:38 PM, John Levine wrote: > The DNS server sends different answers depending on the client IP, > so on your internal network it sees the private subdomain, > everywhere else sees a ENT or NXDOMAIN. Thank you for confirming. That is indeed what I /thought/ we were talking about. But given the difference in what you were describing and what I was thinking, I figured that it was worth confirming. > If you really have to use physically separate servers for reasons > that you can't explain,... There's not anything stopping me from explaining. The main network I want dig +trace to behave (as) correctly (as possible) is inside the labs. (Obviously tracing won't work without some support infrastructure on the disconnected labs.) The external server is more to make the delegation into the labs look as clean as possible to the rest of the world. I.e. return NXDOMAIN instead of timeouts. In some ways, the external aspect is somewhat optional, save for the desire to lay nice with others. I'd like to consistently re-use the same method across all labs, independent if they are isolated or not, both internally and externally. > ...I suppose putting the two servers at the same IP addresss facing > different networks could work, Hence "anycast". > although you're asking for trouble with route leaks anytime someone > adjusts a router anywhere near one or the other. In general, I agree with you. However, in this particular case, I don't think it's going to be an issue. The router inside the lab is not using any routing protocols, only static configs. The router can get the local traffic to the anycast IP without worrying about anything escaping. (Be it on the router w/ local DNS server, or directly attached network, or a host route to another system that is directly attached.) I'm taking your warning, processing it, and then deciding that this particular scenario is not subject to the concerns you rightfully have. > Remember that with normal anycast all of the mirrors send identical > or at least equivalent answers so the routes are not a security > issue. Agreed. -- Grant. . . . unix || die
Back to comp.protocols.dns.bind | Previous | Next | Find similar | Unroll thread
Re: What is the proper way to delegate to a private / hidden sub-domain? Grant Taylor <gtaylor@tnetconsulting.net> - 2020-05-06 16:04 -0600
csiph-web