Re: [SLUG] Domain Name Servers
> I have always thought that DNS servers for a domain may reside
> totally
> outside the domain. i.e. server.main.domain has no dns server
> running
> but has DNS servers other.server.com and another.server.com act
> authoritatively for server.main.domain.
>
> We have a server with very sensitive information and the boss does
> not
> want anything other than a web port open to the world. My
> experience
> has always been that the server in question is at least the primary
> DNS.
> Is this possible or do we have to think again?
According to my Oreilly BIND 8.x book, "primary" and "slave" DNS servers are a
misnomer.
There're only "authoritative" and "non-authoritative" servers. And the
distribution / updating of
zone files between authoritative servers depend on the zone file's SOA serial
number and how
the "slave {...};" and "master {...};" directives are set up.
You don't need to set up a DNS server on your secured server. As long as people
outside your
network, or outside your web server can resolve to your web port and connect,
then HTTP should
handle the rest. You might need to essentially open port 53 and configure
resolv.conf for DNS
names resolution on the web server; which may be required for some
anti-spoofing software,
firewall tools etc.
Alternatively you could set up an internal DNS server on a separate machine
inside your network
which can initiate a zone file transfer with external DNS servers hosting your
domain. The internal
DNS server could be the DNS server for the rest of your network.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Domain Name Servers
Jeremy, > This seems to contradict your previous statement. If you don't wish > this "server in question" with the sensitive information, to run DNS > services, why not set up the configuration that you already established > as probable, with the DNS hosted entirely by different servers? > > I don't understand why the current configuration of some particular > server should rule out the possibility of a different configuration > being possible? > > Perhaps I misunderstand. > Ah, I think when I added a new sentence I messed up my meaning. Sometimes an attempt at further clarification makes things a little less clear. I did mean server A is "served" by servers B & C in the naming stakes. Thanks for the confirmation that it is possible. Regards, Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Domain Name Servers
Rick Phillips wrote: I have always thought that DNS servers for a domain may reside totally outside the domain. i.e. server.main.domain has no dns server running but has DNS servers other.server.com and another.server.com act authoritatively for server.main.domain. That is correct. We have a server with very sensitive information and the boss does not want anything other than a web port open to the world. Okay, that is fine and fits in with your previous statement. > My experience has always been that the server in question is at least the primary DNS. This seems to contradict your previous statement. If you don't wish this "server in question" with the sensitive information, to run DNS services, why not set up the configuration that you already established as probable, with the DNS hosted entirely by different servers? I don't understand why the current configuration of some particular server should rule out the possibility of a different configuration being possible? Perhaps I misunderstand. Thanks, Jeremy -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Domain Name Servers
I have always thought that DNS servers for a domain may reside totally outside the domain. i.e. server.main.domain has no dns server running but has DNS servers other.server.com and another.server.com act authoritatively for server.main.domain. We have a server with very sensitive information and the boss does not want anything other than a web port open to the world. My experience has always been that the server in question is at least the primary DNS. Is this possible or do we have to think again? Rick Phillips -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
