[dns-operations] anybody here from GDNS?

Sidney Faber sfaber at cert.org
Wed Jul 16 02:34:38 UTC 2008

Perhaps not so much an example as an auditing guide, but consider DISA's 


particularly section 3.4.2, "Query Restrictions for Caching Servers." 
The document's written from an auditing standpoint, but it's got great 
background information / justification for each audit item geared to the 
average sysadmin.  Section 4 goes into BIND implementation details, and 
section 5 is on windows.

And if you're really audit-oriented, there's the associated DNS 
checklist available at


Sean Donelan wrote:
> On Tue, 15 Jul 2008, Paul Vixie wrote:
>> anyone doing both authority and recursive in the same nameserver images
>> should be using views.  or multiple nameserver images, each having its 
>> own
>> listener IP.  note that in the case of views, the nameserver really does
>> ask itself questions and answer them.  in the case of multiple images, 
>> they
>> really do discover eachother by iterating downward from the root zone.
> In the past, my suggestion has been to use different servers if you
> can.  But for those who don't, are there complete examples of
> setting up a single server for both non-recursive authoritative, and
> recursive non-authoritative views for the same clients?  I've pointed
> people to the isc.org tech papers and team cymru secure configuration;
> but they seem to assume you are using views because you have a 
> split-network.
> The simpliest case would be a server authoritative for EXAMPLE.COM,
> and providing recursive service to the server (i.e. localhost).
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list