[dns-operations] anybody here from GDNS?
Sidney Faber
sfaber at cert.org
Wed Jul 16 02:34:38 UTC 2008
Perhaps not so much an example as an auditing guide, but consider DISA's
DNS STIG,
http://iase.disa.mil/stigs/stig/index.html
http://iase.disa.mil/stigs/stig/dns_stig_v4r1_20071017.pdf
particularly section 3.4.2, "Query Restrictions for Caching Servers."
The document's written from an auditing standpoint, but it's got great
background information / justification for each audit item geared to the
average sysadmin. Section 4 goes into BIND implementation details, and
section 5 is on windows.
And if you're really audit-oriented, there's the associated DNS
checklist available at
http://iase.disa.mil/stigs/checklist/index.html
hth,
sid
Sean Donelan wrote:
> On Tue, 15 Jul 2008, Paul Vixie wrote:
>> anyone doing both authority and recursive in the same nameserver images
>> should be using views. or multiple nameserver images, each having its
>> own
>> listener IP. note that in the case of views, the nameserver really does
>> ask itself questions and answer them. in the case of multiple images,
>> they
>> really do discover eachother by iterating downward from the root zone.
>
> In the past, my suggestion has been to use different servers if you
> can. But for those who don't, are there complete examples of
> setting up a single server for both non-recursive authoritative, and
> recursive non-authoritative views for the same clients? I've pointed
> people to the isc.org tech papers and team cymru secure configuration;
> but they seem to assume you are using views because you have a
> split-network.
>
> The simpliest case would be a server authoritative for EXAMPLE.COM,
> and providing recursive service to the server (i.e. localhost).
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list