[CentOS] Split dns issues

Sun Aug 2 23:23:42 UTC 2009
Jason Pyeron <jpyeron at pdinc.us>

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Les Mikesell
> Sent: Sunday, August 02, 2009 18:20
> To: CentOS mailing list
> Subject: Re: [CentOS] Split dns issues
> 
> Jason Pyeron wrote:
> >>>>
> >> You could just firewall port 25 on the spam-checking MX
> > 
> > They are outsourced to google, we cannot control that.
> 
> You must have a firewall that you control on your side where 
> these connections have to pass.
> 
> >> relays from the trusted networks  and add a high-numbered 
> MX record 
> >> for the target you want them to hit instead.  As long
> > 
> > Adding mail.pdinc.us to the list would beg spammers to skip 
> our spam 
> > gateway service.
> 
> That's fine, as they would be unable to connect if you leave 
> it a private address.

Just feels dirty.

> 
> > And I think adding the non routable Ips assigned to the intranet 
> > mail.pdinc.us server to public MX records might be a bit of 
> bad form 
> > and add a point of failure when the ip address changes.
> 
> It's a bit of bad form to use NAT and private addresses at 
> all because the internet really wasn't designed to be 
> segmented, but everyone does it.  Or you could use a public 
> address in a DMZ where it is firewalled from everything but 

We are working towards that, but our provider does not want to allocate any more
IPs beyond our two current class C blocks. Hoping to migrate to IPv6 soon.

> internal connections and perhaps things relayed by the 
> external spam service. 
> The point of being able to provide multiple MX records is 
> that things keep working even if some of them aren't reachable.
> 

I think for now we are going to leave it as status quo. 

We have been tossing using a sql backend to generate our zone files, now I see
that pdns supports oracle and mysql we might do up a whole new thing.

I am going to start a new thread on pdns

Thanks everyone for your patience and help.

-Jason 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.