Julian Elischer wrote:
John-Mark Gurney wrote:
Julian Elischer wrote this message on Mon, Aug 28, 2006 at 12:33 -0700:
ALmost all other services (e.g. inetd,natd,sshd, etc.etc.) allow you
to specify a different config file
so that you can supply different services to theinside and outside
but it all falls appart
if they still are forced to use the same DNS server and can not
provide a differentiated service
for that reason.
Why not put one of the two in side a jail (I think someone else
mentioned
this), or chroot'd environment where it can pick up a different
resolv.conf?
The very mail you quoted says that I can not put it inside a jail.
a chroot is slightly less problematical except that they do need to
share filesystems.
To make it fully work I need to have /etc nearly all shared along with
a lot more but I need
to have different /etc/resolv.conf
to expand on this.. imagine a set of 20 or so processes with about 10 or so
channels of communication between each pair of processes,
utilising unix domain sockets, lots of shared files, ip sockets and
sysV opts.
I want some of this rats nest of processes to use a different name
server but not all of them,
without completely breaking any of the thousands of not-so-obvious
connections.
puting them in a chroot or a jail gives me so many possible failure
points my head spins.
just asking the rsolver to ask a different server seems the simple and
less error prone path.
I would ask the security crew to think about this too as DNS is
important to get right for security,
but I believe it can be done in such a way that it remains secure..
possibly, by insisting that it remains in /etc but specifying only the
name portion. (for example).
so, Why NOT make this tunable from the environment? it does not do it
for SUID processes
and there are already environment varables that influence name lookup.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
