Re: possible patch for implementing split DNS

From: Julian Elischer <julian@xxxxxxxxxxxx>
Date: Mon, 28 Aug 2006 15:38:27 -0700

Julian Elischer wrote:

John-Mark Gurney wrote:

Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700:

ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow you to specify a different config file
so that you can supply different services to theinside and outside but it all falls appart
if they still are forced to use the same DNS server and can not provide a differentiated service
for that reason.

Why not put one of the two in side a jail (I think someone else mentioned
this), or chroot'd environment where it can pick up a different resolv.conf?

The very mail you quoted says that I can not put it inside a jail.
a chroot is slightly less problematical except that they do need to share filesystems.
To make it fully work I need to have /etc nearly all shared along with a lot more but I need
to have different /etc/resolv.conf

to expand on this.. imagine a set of 20 or so processes with about 10 or so
channels of communication between each pair of processes,
utilising unix domain sockets, lots of shared files, ip sockets and sysV opts.
I want some of this rats nest of processes to use a different name server but not all of them,
without completely breaking any of the thousands of not-so-obvious connections.
puting them in a chroot or a jail gives me so many possible failure points my head spins.

just asking the rsolver to ask a different server seems the simple and less error prone path.
I would ask the security crew to think about this too as DNS is important to get right for security,
but I believe it can be done in such a way that it remains secure..
possibly, by insisting that it remains in /etc but specifying only the name portion. (for example).

so, Why NOT make this tunable from the environment? it does not do it for SUID processes
and there are already environment varables that influence name lookup.

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: possible patch for implementing split DNS
  - From: eculp

References:
- possible patch for implementing split DNS
  - From: Julian Elischer
- Re: possible patch for implementing split DNS
  - From: Doug Barton
- Re: possible patch for implementing split DNS
  - From: Julian Elischer
- Re: possible patch for implementing split DNS
  - From: John-Mark Gurney
- Re: possible patch for implementing split DNS
  - From: Julian Elischer

Prev by Date: Re: possible patch for implementing split DNS
Next by Date: Re: possible patch for implementing split DNS
Previous by thread: Re: possible patch for implementing split DNS
Next by thread: Re: possible patch for implementing split DNS
Index(es):
- Date
- Thread

Relevant Pages

Re: possible patch for implementing split DNS
... you to specify a different config file ... I want some of this rats nest
of processes to use a different name server but not all of them, ... I found it interesting
although I haven't had time to give it a try especially since I'm thinking about leaving bind9 for djbdns
and ldap2dns even though I've never been crazy about djbdns and family. ... (freebsd-net)
RE: Assembly binding problem
... side(client side create the instance of which version, then the server ... needed
to specify version info.(and it force us not to specify version in ... server application's
config file for activated type). ... specify the version info for the activated type object
in client ... (microsoft.public.dotnet.framework.aspnet)
Re: Email Programming using System.Web.Mail
... With System.Web.Mail,, the book for the SmtpMail class says that if you do not specify
a value for SmtpServer then it uses the local SMTP server. ... (microsoft.public.dotnet.languages.vb)
Re: Email Programming using System.Web.Mail
... configuration first but if that doesn't specify the appropriate ... configuration
files, an exception would be thrown when you call the ... The moment I specify a valid
server then it works: ... It will only connect to an 'up-line' SMTP ... (microsoft.public.dotnet.languages.vb)
Multiple Pointers, Xinput and thin clients (remote X)
... I have a thin client connecting to a X terminal ... server using XDMCP
and gdm. ... # Module section -- this section is used to specify ... # the way multiple
screens are organised. ... (comp.os.linux.x)