[dns-operations] anybody here from GDNS?

Sidney Faber sfaber at cert.org
Wed Jul 16 02:34:38 UTC 2008


Perhaps not so much an example as an auditing guide, but consider DISA's 
DNS STIG,

http://iase.disa.mil/stigs/stig/index.html
http://iase.disa.mil/stigs/stig/dns_stig_v4r1_20071017.pdf

particularly section 3.4.2, "Query Restrictions for Caching Servers." 
The document's written from an auditing standpoint, but it's got great 
background information / justification for each audit item geared to the 
average sysadmin.  Section 4 goes into BIND implementation details, and 
section 5 is on windows.

And if you're really audit-oriented, there's the associated DNS 
checklist available at
http://iase.disa.mil/stigs/checklist/index.html

hth,
sid



Sean Donelan wrote:
> On Tue, 15 Jul 2008, Paul Vixie wrote:
>> anyone doing both authority and recursive in the same nameserver images
>> should be using views.  or multiple nameserver images, each having its 
>> own
>> listener IP.  note that in the case of views, the nameserver really does
>> ask itself questions and answer them.  in the case of multiple images, 
>> they
>> really do discover eachother by iterating downward from the root zone.
> 
> In the past, my suggestion has been to use different servers if you
> can.  But for those who don't, are there complete examples of
> setting up a single server for both non-recursive authoritative, and
> recursive non-authoritative views for the same clients?  I've pointed
> people to the isc.org tech papers and team cymru secure configuration;
> but they seem to assume you are using views because you have a 
> split-network.
> 
> The simpliest case would be a server authoritative for EXAMPLE.COM,
> and providing recursive service to the server (i.e. localhost).
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list