On 15.10.22 16:03, Bob McDonald wrote:
OK, if a known client accesses DNS on the internal network, that
client is pointed at a recursive resolver (e.g by DHCP). That resolver
either provides access to the internal DNS zones (e.g. via stub zones)
or sends the client query to the root servers on the internet. An
unknown client (e.g. guest WiFi) will be given the same resolver
address for its DNS server. At this point it would require ACLs to
prevent that unknown client from accessing the internal DNS zones. All
DNS traffic from that client would be sent to the internet.
Another way to achieve that would be to have a separate set of DNS
resolvers for unknown clients (resolver addresses handed out via
DHCP). That's my current view of how to get things done in this case.
What I'm discerning from the discussion so far is that this isn't
strictly necessary. The internal DNS zones can/should reside on the
recursive resolvers. The question of unknown client access to internal
DNS zones is resolved (no pun intended...).
bind supports views, which work like virtual DNS servers, you can define
some zones only in internal views.
you can even support multiple views for internal, wi-fi and external
clients, where the internal clients will get recursion and see internal
zones, wi-fi clients get recursion w/o seeing internal zones, and external
zones only see public zones.
You can separate these clients by their source IPs, without any need to
configure separate servers with separate iP addresses.
you may want to share dns cache between internal and wi-fi zones using
attach-cache directive, and share public zones to the internal and wi-fi
directives by configuring thoze zones using "in-view".
RPZ COULD be implemented on ANY of the recursive DNS resolvers.
note that RPZ is designed to prevent/redirect access to destinations, not to
clients - it's not designed to separate clients and access to zones this
way.
The tsig key discussion is around its use as a method of allowing
updates to internal DNS zones. Strictly hypothetical. Don't get hung
up on it.
Tsig is good security measure to only allow specific clients to submit
updates. You can configure tsig key to belong to particular view even
without having proper client IP address.
Thank you all for the information. You've provided answers to my
questions and have renewed my faith in geekdom.
If anyone is still confused, I'd be glad to discuss this offline until
we have a final solution. Then we can publish if necessary.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
