[PROXYPER] Re: [RC5-PROXYPER] Basic setup for LAN with a...

Joe Zbiciak j-zbiciak1 at ti.com
Thu Sep 10 11:39:07 EDT 1998


'Henry Miller' said previously:

| Well, the problems are not likely, but if you don't know how you could
| ahve them, stop.

I'm aware of problems that are worth worrying about.  I don't konw that the
problems you're suggesting are worth worrying about.

|  What I suggested was setting up a DNS internal to the
| private network. 

When?  All you suggested is that DNS spoofing somewhere could cause you to
lose blocks.

| This would give other advantages on a private network.
| However it is nessicary to make sure the real world never talks to your
| DNS.  

Right.  And if someone has a broken DNS server listed in their InterNIC
record that is offering DNS resolution for distributed.net, they deserve to
be shot!

| Normally this isn't a problem.  However, if you try to run your internal
| name server on a machine that is also connected to the real world, and
| someone in the real world uses your name server, you poison them.  This is
| mostly possibal if you point all machines to an internal name server that
| internic already points to.  If your DNS is on the private lan only, you
| are fine. 

Setting up DNS on a private lan is a completely different issue.  If you're
doing this for Internet hosts, then yes, you should have a caching-only
DNS server which only responds to requests on the private-network side.
Even if it did respond to requests on the Internet side, someone on the
internet would have to manually set their DNS server address to your broken
DNS server's address to see anything.  

I don't think "real" name servers allow just anyone to uplaod DNS entries
to them.  If they did, we have much worse problems.

| If your machines can comunicate with part of the real internet
| (ie you allow anyone to access company servers, but use the private
| address space to make sure they can't get to the internet) you might hve
| them pointed to a internet connected name server.  

If your machines have a 10.X.X.X or 192.168.X.X or 192.X.X.X address
and can communicate with the rest of the internet, then you're already
communicating through special software (IP Masquerading software, 
specifically) which rewrites all traffic from the private host to appear
as if it's coming from the masquerading router.  

If you're using external (internet-based) DNS servers in such an approach
(recommended), with a local "/etc/hosts" for all the private hosts, then
I don't see what problems you might have that are different from talking
to a broken DNS server in general. 


| In the latter case someone might (stupidly) setup a name server at an ISP
| for instance to give the wrong address, and others wouldn't connect to
| anything. 

If your ISP's DNS is broken, get another ISP, and go sick the InterNIC
dogs on your old ISP as you leave.  They're a menace to the Internet
community.  

| The case for this would be a perminant internet conenction for
| a few machines, private subnetting for the rest, the ISP runs the
| nameserver, and knows to route to the prvate subnet. 


At most, the firewall machine connecting the two networks -- internel
and external -- should know about the internal route and the external
route at the same time, if you're network has one of the private network
addresses. 

Everyone on the internal network should know how to get to the firewall
and no further.  An internal-network-specific DNS server should be
completely behind the firewall, even if it caches external DNS lookups
for speed.

If your private network has full-blown internet addresses, rather than
a private class A (10.X.X.X) or class B (192.168.x.x, 192.0.x.x), then
there isn't much point to having a private DNS server, unless you don't
want the outside world to see your hostnames.  If you do want one, then 
put it behind the firewall, and have a less populated nameserver outside
the firewall. 

|  I don't know if it
| ever happens, but it could.  Don't let it.

In any case, if you're ISP is incompetent enough to screw this up, get
another one.  You're in for other, more severe problems, IMHO, if you
stay with a broken ISP.   In other words, its hardly a problem worth
worrying about if you're just trying to get your private machines to 
connect to a perproxy running on a dialup machine, even if you do run
some hokey DNS on the dialup machine.  Who in their right minds is going
to trust a DNS server on some bloke's dialup box?

Besides, the perproxy seems to require hardcoded IPs on many boxes for
some reason. These bypass DNS altogether.

Regards,

--Joe

-- 
 +------ Joseph Zbiciak -----+
 | - - j-zbiciak1 at ti.com - - | "Can I ask you a really stupid question?"
 |-Texas Instruments, Dallas-|
 | - #include <disclaim.h> - | "Yes, and history will bear me out on that." 
 +---------------------------+

--
To unsubscribe, send 'unsubscribe proxyper' to majordomo at lists.distributed.net



More information about the proxyper mailing list