Another thank you for last night's session. Apropos the discussion of BIND security, gmail popped in with this link http://www.circleid.com/article/774_0_1_0_C/ as a "comment" on this thread. I thought that some might find it interesting.
I've got a few other thoughts which were provoked by the session. 1) The discussion of black hole lists as interesting, and hit one of my hot buttons, which is ISPs which use dnsrbls (or rbls in general) like SpamCop to bounce e-mail rather than as one positive indication of spam so that a tool like Spamassassin can tag it. Much as I had spam and junkmail, I'd rather have it delivered and let me and my tools decide it's junk rather than the postman throughing good mail away with the bad. Most rbls have warnings against using them in this way, but it seems that lots of ISPs ignore them either ignorantly or even actively feeling that the reduction in load on their servers is worth thowing away a "few" of their customers' emails. I got into running my own local mail server just to avoid problems with this. I'm amazed at how much spam gets through on my ISP email account only to be caught by SA. 2) I looked into the view feature of BIND 9, I'm not sure that it's usable in my situation. My home lan is behind a Netgear NAT router. I've got a dyndns free dns listing for denhaven2.homeip.net which resolves (via dyndns.org's name servers to my router's address. Inside the lan, I run BIND on a linux server which forwards to the router (which in turn forwards to the name servers it gets from the ISP via DHCP). Dyndns wildcards the hostnames in my domain, and the NAT router uses it's virtual server by ports to route to the right machines inside. My BIND server has a zone for local.denhaven2.homeip.net to resolve the addresses of machines on the lan. Now views would let me have names like fred.denhaven2.homeip.net instead of fred.local.denhaven2.homeip.net, but to do this, I'd need to expose my name server to the internet right? Dyndns doesn't appear to support this for an dynamic ip address even if I wanted to pay for it. Does it even make sense to be thinking about this in the typical home setup with a single exposed ip address? -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
