Subject: more geek stuff Fri Jan 29 23:46:38 1999 i was just digging through some notes, and came across a trick for setting up websites with restricted access. it uses a combination of name-based virtual hosting and private DNS. it's a reasonably secure, low-impact way to set up an intranet on a server which is visible from the internet, without requiring passwords. step one is to create a DNS record on your local nameserver using an 'illegal' top-level domain, i.e.: something other that '.com', '.org', etc. i generally use '.priv', to indicate a private domain. the file is exactly like any other name record. the official TLDs aren't hardwired into the name daemon, so you can define anything you want. those names are simply meaningless to anyone who doesn't use your nameserver, which is what we want in this case. step two is to create a name-based virtual host using the private TLD you've just defined. again, the configuration is completely standard. as far as the httpd is concerned, it's just another name-based host. step three is to dig around in the network settings for your client machines, telling them to call your private nameserver first when doing lookups. once again, there's nothing special to it. at that point, anyone connecting to your private nameserver can use the URL: http://www.foo.priv/ just like any other URL. OTOH, anyone not connected to your private nameserver will get a DNS error. by adding some simple restrictions on incoming connections to the virtual host and the nameserver, you can build a website which is more or less firewalled off from the internet, without having to deal with an actual firewall. the same server can also host sites which are visible to the outside world, and i personally think the nonstandard TLD makes a nice mnemonic. naturally, all the standard security disclaimers still apply.. anyone who puts sensitive or privileged information on a machine which connects directly to the internet is a suicidal idiot. real security requires real security tools, and a real commitment to keeping those systems secure. this technique is pretty good at keeping casual users from wandering into places where you don't want them. that covers probably 80% of standard intranet use, so it's adequate for keeping everyday convenience information under wraps. if you're working in the remaining 20% of intranet space, though.. exchanging information whose compromise can have serious financial or legal consequences.. DO NOT assume this will save you the cost of a real firewall.