Dear Mathus, thanks al lot for your help. >> what is the point of running DNS server with only two hostnames allowed to >> resolve?
The point is I have several desktops that must have access only to internal domains. The unique exception is they have access to teamviewer.com in order to download the Teamviewer client and a pair of operations in this public domain. I think if I have setup "recursion = no", if I define a forward zone with "type forward" and the corresponding forwarder, this option enable the recursion just for this defined zone. In general, my question is how to forward a public domain to a DNS resolver like 8.8.8.8 ??? Thanks again. El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<uh...@fantomas.sk>) escribió: > On 07.02.19 16:30, Roberto Carna wrote: > >Desktops I mentioned can only access to web apps from internal domains, > but > >in some web apps there are links to download Teamviewer client software > >from Internet. I can create a private zone "teamviewer.com" with all the > >hostnames and IP's we will use, but if they change I will be in trouble. > > > >So we need to forward the query to our resolvers in order to get a valid > >response. > > > >So I think we can use the forward option from BIND, but it doesn't work at > >all as I described: > > > >1. "recursion no" can only be set at the top (view) level, not overridden > > at the zone level. > > > >2. If I set "recursion no" at the view level, then a "type forward" > > zone has no effect: > > > > view "foo" { > > recursion no; > > ... > > zone "teamviewer.com" { > > type forward; > > forward only; > > forwarders {172.18.1.1; 172.18.1.2;}; > > }; > > > >-- query for foo.teamviewer.com fails and tell it's not a recursive query > > the whole point of "recursion no" is not to answer recursive queries, > so there should be no wonder it works that way. > > > >3. If I define "recursion yes" at view level: > > > > view "foo" { > > recursion yes; > > ... > > zone "teamviewer.com" { > > type forward; > > forward only; > > forwarders {172.18.1.1; 172.18.1.2;}; > > }; > > > >-- query for foo.teamviewer.com is OK, but also I get response OK from > >foo.ibm.com, foo.google.com, and any other public domain from Internet > >(and this is not what I want, it's what I'm trying to prevent)) > > > >So can you help me please??? > > you still have not answered my question: > > >> what is the point of running DNS server with only two hostnames allowed > to > >> resolve? > > However, you can define empty type master "." zone, and bind will return > NXDOMAIN for anything other. > > > >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (< > uh...@fantomas.sk>) > >escribió: > > > >> On 07.02.19 14:58, Roberto Carna wrote: > >> >In our company we have several desktops from two different cities > >> accessing > >> >only to internal domains distributed in two views in a private BIND > with > >> >authoritative zones, where I've defined "recursion no;". > >> > > >> >But now we have to let them access to *.teamviewer.com hostnames, just > >> this > >> >public domain and not other. > >> > >> btw, when did linux.org change to teamviewer.com? > >> > >> >So I've implemented the forwarding of "teamviewer.com" zone to our > BIND > >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've > created a > >> >third view with this information in named.conf.local: > >> > > >> >acl internet { 10.0.0.0/24 }; > >> > > >> >view "internet" { > >> > > >> > match-clients { internet; key "custom"; }; > >> > > >> > recursion yes; > >> > > >> > zone "teamviewer.com" { > >> > > >> > type forward; > >> > > >> > forward only; > >> > > >> > forwarders { > >> > > >> > 172.18.1.1; > >> > > >> > 172.18.1.2; > >> > > >> > }; > >> > > >> >}; > >> > >> > >> >I defined "recursion yes" but the BIND servers forwards all the public > >> >domains queries to our resolvers and not just for "teamviewer.com", > so it > >> >doesn't work. And if I change for "recursion no", the query > >> >www.teamviewer.com is refused and at the client side appears an error > >> >telling that recursion is necessary. > >> > >> of course, BIND will resolve other domains (recurse) only when you > allow it > >> to recurse. > >> > >> >So I let desktops resolve all the Internet domains or neither, and > this is > >> >not what I want because I just want to let them resolve just > >> teamviewer.com. > >> > > >> >How can I do to forward only teamviewer.com zone queries to my > >> resolvers??? > >> > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Eagles may soar, but weasels don't get sucked into jet engines. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users