On 07.02.19 16:30, Roberto Carna wrote:
Desktops I mentioned can only access to web apps from internal domains, but
in some web apps there are links to download Teamviewer client software
from Internet. I can create a private zone "teamviewer.com" with all the
hostnames and IP's we will use, but if they change I will be in trouble.
So we need to forward the query to our resolvers in order to get a valid
response.
So I think we can use the forward option from BIND, but it doesn't work at
all as I described:
1. "recursion no" can only be set at the top (view) level, not overridden
at the zone level.
2. If I set "recursion no" at the view level, then a "type forward"
zone has no effect:
view "foo" {
recursion no;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com fails and tell it's not a recursive query
the whole point of "recursion no" is not to answer recursive queries,
so there should be no wonder it works that way.
3. If I define "recursion yes" at view level:
view "foo" {
recursion yes;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com is OK, but also I get response OK from
foo.ibm.com, foo.google.com, and any other public domain from Internet
(and this is not what I want, it's what I'm trying to prevent))
So can you help me please???
you still have not answered my question:
what is the point of running DNS server with only two hostnames allowed to
resolve?
However, you can define empty type master "." zone, and bind will return
NXDOMAIN for anything other.
El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<uh...@fantomas.sk>)
escribió:
On 07.02.19 14:58, Roberto Carna wrote:
>In our company we have several desktops from two different cities
accessing
>only to internal domains distributed in two views in a private BIND with
>authoritative zones, where I've defined "recursion no;".
>
>But now we have to let them access to *.teamviewer.com hostnames, just
this
>public domain and not other.
btw, when did linux.org change to teamviewer.com?
>So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>third view with this information in named.conf.local:
>
>acl internet { 10.0.0.0/24 };
>
>view "internet" {
>
> match-clients { internet; key "custom"; };
>
> recursion yes;
>
> zone "teamviewer.com" {
>
> type forward;
>
> forward only;
>
> forwarders {
>
> 172.18.1.1;
>
> 172.18.1.2;
>
> };
>
>};
>I defined "recursion yes" but the BIND servers forwards all the public
>domains queries to our resolvers and not just for "teamviewer.com", so it
>doesn't work. And if I change for "recursion no", the query
>www.teamviewer.com is refused and at the client side appears an error
>telling that recursion is necessary.
of course, BIND will resolve other domains (recurse) only when you allow it
to recurse.
>So I let desktops resolve all the Internet domains or neither, and this is
>not what I want because I just want to let them resolve just
teamviewer.com.
>
>How can I do to forward only teamviewer.com zone queries to my
resolvers???
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
