From: Todd K. Watson (tkw@southwestern.edu)
Date: Tue Oct 17 2000 - 08:21:11 CDT
Rich, et. al,
True enough. However, if one is not using non-routable addresses, the
"phony-ips" acl could get a bit messy.
I like this DNS scenario better because no longer would the DHCP client
have to get different DNS servers (something that can be a problem w/out a
reboot). The reboot would probably still be a good measure to ensure that
the new lease is obtained correctly. Rich, do you suggest a reboot to the
students on your systems to fix any DHCP client issues with
releasing/renewing leases after the registration process?
Todd
-- Todd K. Watson Senior System & Network Administrator Southwestern University, Georgetown, TX tkw@southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605On Tue, 17 Oct 2000, Rich Graves wrote:
> (I'm not running netreg, about which more anon, but we have common > interests.) > > Your "Bogus NameServer" caveat isn't necessary if you simply tell BIND not > to answer anyone but unregistered clients. Also you probably want to set > the TTL short. I've set 30 seconds for random requests, 1 day for > unet.brandeis.edu (a real address), and 5 minutes for the NS record > (probably never used). > > // named.conf > acl phony-ips { > // Unregistered computers get unroutable address > 10.64/16; > // Allow NetSaint to check server > 129.64.99.138; > }; > options { > directory "/var/named"; > fetch-glue no; > recursion no; > }; > // See ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos > zone "bind" chaos { > type master; > file "bind"; > allow-query { none; }; > allow-transfer { none; }; > }; > zone "." in { > type master; > file "db.root"; > allow-query { phony-ips; }; > allow-transfer { none; }; > }; > > > ; db.root > $TTL 30 > . IN SOA unet.brandeis.edu. root.brandeis.edu. ( > 5 10800 3600 604800 86400 ) > 300 IN NS unet.brandeis.edu. > unet.brandeis.edu. 86400 IN A 129.64.99.13 > *. 30 IN A 129.64.99.13 > > > ; Phony bind zone to hide bind version, etc. > ; See ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos > $ORIGIN bind. > $TTL 86400 > @ 1D CHAOS SOA localhost. root.localhost. ( > 1 ; serial > 3H ; refresh > 1H ; retry > 1W ; expiry > 1D ) ; minimum > CHAOS NS localhost. > ; EOF > -- > Rich Graves <rcgraves@brandeis.edu> > UNet Systems Administrator
********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:34 CDT