possible patch for implementing split DNS

eculp at bafirst.com eculp at bafirst.com
Mon Aug 28 23:29:49 UTC 2006

Quoting Julian Elischer <julian at elischer.org>:

> Julian Elischer wrote:
>> John-Mark Gurney wrote:
>>> Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700:
>>>> ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow 
>>>> you to specify a different config file
>>>> so that you can supply different services to theinside and outside 
>>>> but it all falls appart
>>>> if they still are forced to use the same DNS server and can not 
>>>> provide a differentiated service
>>>> for that reason.
>>> Why not put one of the two in side a jail (I think someone else mentioned
>>> this), or chroot'd environment where it can pick up a different 
>>> resolv.conf?
>> The very mail you quoted says that I can not put it inside a jail.
>> a chroot is slightly less problematical except that they do need to 
>> share filesystems.
>> To make it fully work I need to have /etc nearly all shared along 
>> with a lot more but I need
>> to have different /etc/resolv.conf
> to expand on this.. imagine a set of 20 or so processes with about 10 or so
> channels of communication between each pair of processes,
> utilising unix domain sockets,  lots  of shared files, ip sockets and 
> sysV opts.
> I want some of this rats nest of processes to use a different name 
> server but not all of them,
> without completely breaking any of the thousands of not-so-obvious 
> connections.
> puting them in a chroot or a jail gives me so many possible failure 
> points my head spins.
> just asking the rsolver to ask a different server seems the simple 
> and less error prone path.
> I would ask the security crew to think about this too as DNS is 
> important to get right for security,
> but I believe it can be done in such a way that it remains secure..
> possibly, by insisting that it remains in /etc but specifying only 
> the name portion. (for example).

hi, julian,

I assume that you have seen the following:


I found it interesting although I haven't had time to give it a try 
especially since I'm thinking about leaving bind9 for djbdns and 
ldap2dns even though I've never been crazy about djbdns and family.

Good luck,


>> so, Why NOT make this tunable from the environment? it does not do 
>> it for SUID processes
>> and there are already environment varables that influence name lookup.
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list