[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Yes I fully agree that they should move the DNS service elsewhere - in my opinion to a pc sat behind the firewall pc (IPCOP if they must) with the same drop in IP config, but with port 53 (DNS) forwarded to the internal DNS machine ... I've said this to them until I'm blue in the face!!! But exercising political muscle when you have none (even though you may have technical muscle); it's nigh on impossible to do! If management want, they normally get and don't care about any details outside THEIR outline & spec. I wasn't saying or even thinking I'd succeed either, everything in the computer world is a challenge but I know the excellent wealth of Linux knowledge I have access to with the people part of this list so I thought I'd just ask and see what responses I got. I'm going to need to fight my corner on this I know ... I just don't think I will be listened too ...... and in that case, I just don't know what I'll be able to do! -----Original Message----- From: owner-list@xxxxxxxxxxxxx [mailto:owner-list@xxxxxxxxxxxxx] On Behalf Of Simon Waters Sent: 19 April 2006 21:01 To: list@xxxxxxxxxxxxx Subject: Re: [LUG] IPCOP & BIND Gary wrote: > > Now the problem is this ... the current Debian setup also has a BIND9 DNS > server set up on it (bad practice I know running a firewall and DNS server > on the same machine) and they want the replacement PC to have the same. I think time to exercise a little political muscle. If they want a locked down easy to manage firewall distro, then that is what they want, and they should move the DNS service elsewhere. I'd be wary of even trying to add something like BIND9 to a distro that didn't have it. Ubuntu didn't manage to supply me with a stable copy of BIND9, why do you think you'll succeed? Just stick a locked down firewall in a drop in configuration, and leave an old PC running Debian Sarge and BIND9 on the old IP address, would be my advice. Hey you probably already have such a PC up and running. Bad practice I know, but hell I have a firewall running BIND9, it doesn't worry me much give the recursive server is locked down tightly, the BIND 9 process runs chrooted, and the box is massively over specified, rock solid, and always on (at least when the Internet connection is working). It isn't protecting Fort Knox, and the majority of the browsers in use behind it scare me far more. - The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html - The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html