[dns-operations] That?ll never work?we don?t allow port 53 out | Strategic Cyber LLC

[Lawrence K. Chen, P.Eng.]

----- Original Message -----
> Jared wrote on 06/21/2013 01:16:14 PM:
> 
> > These things always interest/amuse me when folks try to find a way
> > around "airgapped means airgapped" between networks that need to be
> > secured.
> 
> Only to get to sites blocked as "security risk" when researching
> DNSSEC
> from my desktop.
> 
> 
Right, our IT security group has only exempted our two DNS vlans from the Procera, which was otherwise interfering with DNSSEC since it looks like P2P.

Which was a problem because I had forgotten that we have localhost-only recursive caching servers on our SMTP and MX servers.  So, now they're localhost-only forward-only caching servers....

Hmmm, occurs to me that's the solution I should try giving to admin at one of our other campuses where he doesn't want to have his users pointed at our recursive caching DNS servers, but is having trouble in that we're running a stealth (split) DNS type configuration on not being able to resolve internal names using our public authoritative-only nameservers.  (hampered by the fact that I have a stealth master, and no internal authoritative-only nameservers, yet. -- pretty much the only server that causes me stress when its time to update bind ;)

Wonder about all the other people that run their own DNS (and such) on campus....One time the physics department was all angry that we (central IT) had changed the size of a DNS packet to be larger than 512-bytes on them.  Forget if I ever mentioned that DNS isn't just udp....

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library