On Thursday February 2 2006 13:50, John Kosta spake:
> Guys and Gals,
>
Hi, John!
> how would you tackle this?
>
> Hub office = New Orleans
> Spoke offices = all over the place
>
> Remote offices connect to New Orleans via Point to Point T1s, and have
> internet backup.
>
> I don't want to put DNS servers in the remote offices, and I don't want
> to pass DNS traffic over the T1s. If the T1s go down, I want my users
> to access New Orleans hub via the internet.
>
> Do you know of/can you recommend /is this a horrible/good idea?:
Um, well, if you put private IP information on a publicly-addressable DNS
server, nothing will stop some l33t cr4ck3r from doing a zone transfer and
mapping out which company hosts he wants to launch exploits at, a-la the
techniques described in the "Hacking Exposed" books, unless you control the
DNS server yourself and take steps to limit who gets to see what.
I would run DNS in New Orleans and in one other office, and point all clients
at those two servers exclusively. That way even if your T-1 in New Orleans
goes down, every other office still has in-house DNS.
> Is
> there a DNS company/service that will allow me to export my DNS settings
> from New Orleans hub to the internet that I can point all my clients to
> that will have both my company specific DNS answers, and world wide DNS
> answers?
>
> So, I set all clients to get their DNS answers from:
>
> ns1.someisp.com
>
> They want yahoo, they get yahoo's public IP address.
>
> They ask for privatemailserver.atmycomany.com they get the private
> internal ip address.
Assuming your in-house domain is leetcompany.com (this can be a real domain or
a completely bogus one that only your company boxes know about, which is even
better), populate your zonefile with all the internal private IP addresses.
This should work the way you want, from the client machines' point of view.
I suppose you could use granitecanyon.com for backup DNS if you don't have the
ability to run DNS at a satellite office, and I think they won't mind you
loading zones for non-existent domains (we used to do this for OpenNIC
domains, with .geek and other TLDs), so long as the file you send them parses
correctly. If you do that, you'll have to check their server periodically
because they run a script every so often to clean out stale or bogus info. If
you're hard-pressed, I'm willing to run secondary DNS for you if you like.
Again, if you can't limit who can grep your DNS info, you're going to get
people doing things you'd rather them not do.
-- Joey Kelly < Minister of the Gospel | Linux Consultant > http://joeykelly.net "I may have invented it, but Bill made it famous." --- David Bradley, the IBM employee that invented CTRL-ALT-DEL
___________________
Nolug mailing list
nolug@nolug.org
This archive was generated by hypermail 2.2.0 : 12/19/08 EST