Peeps,
Small thing about recursion
You can configure your outside DNS servers (if you are using BIND)
to allow recursion from a couple of trused hosts.
In the named.conf file just put the following entry:
allow-recursion { ip_addresses_trusted_hosts; };
(or if the list is getting pretty long then build a simple acl)
the result is that the server will only recurse for those hosts
(mail servers in the DMZ or internal DNS servers) and will
not be recursive for the whole other internet/internal hosts.
This is the way I like to see it working. People may argue
this way of DNS recursion but it makes the rulebase on the internal
firewall a bit more restrictive. And it keeps my external DNS server
from idle-ing the whole time (precausion for lazy CPU's). :o)
<..explanation snip..>
Internet servers or 'delegate' servers should be configured to only allow
"recursive queries" from valid DNS servers/clients in your company, but not
the Internet. Recursive queries allow the DNS client to ask the DNS server
for information on IP addresses for which it is not authoritive. The server
will do it's best to get the needed information and will cache it, but we
don't want that, we only want to serve information to others that we know is
100% correct, i.e. that the server is authoritive for. Stopping or
restricting recursion can improve performance and help prevent a form of
attack known as DNS cache poisoning. The appropriate option is:
allow-recursion { 193.a.b.c/24; };
<.. explanation snip..>
Regards,
Brenno
> -----Original Message-----
> From: Chris Keladis [SMTP:[EMAIL PROTECTED]]
> Sent: donderdag 10 mei 2001 1:17
> To: Brooks Carlson
> Cc: 'Firewalls (E-mail)
> Subject: Re: DNS cannot contact Root Servers
>
> Brooks Carlson wrote:
>
> Hi Brooks,
>
> > After some struggling with DHCP (finally got that working), now I am
> > noticing in Checkpoint logs
> > that the internal DNS server is trying to contact a.root-servers.net,
> > b.root-servers.net, etc. I did not notice
> > anything about these root-servers in DNS configurations at Phoneboy or
> > Checkpoint's site.
>
> Your DNS server (assuming Unix) would have a named.cache file (on Linux it
> resides in /var/named usually, and is also sometimes call "named.ca"),
> which
> defines the root servers.
>
> In the process of DNS resolution your DNS server will first query (the
> root)
> DNSs who will refer you to the first TLD DNS for the domain you are
> looking
> for, you will then be referred to another DNS, and down the tree you go
> until
> you find what your looking for. (Think of the domain as being backwards,
> (the
> leading) dot signifies the root servers, thus you would lookup
> ".com.google.www" working your way down each part of the domain name, to
> the
> entry your looking for. In this case, www of google with a TLD of .com)
>
> The moral of the story is, the root servers simply refer you to the next
> DNS,
> thus you must allow inbound->outbound connectivity to 'any', unless you
> can
> predict you always lookup a finite set of domains and you have accounted
> for
> every DNS in the chain in your firewall rules, but this also means if
> anything is changed, your setup will break (read: this is not recommended)
>
> There are a few ways to implement split-horizon DNS, some people configure
> forwarders from the internal DNS to the external DNS, however this
> requires
> your external DNS be recursive. (In my case i didn't want this)
>
> In my particular setup, my internal DNSs are recursive, and my external
> DNSs
> are non-recursive. There is a statefull firewall in between. Thus the
> Internal DNSs uses a state rule to go out to (any) the Internet and lookup
> anything they need (PIX has some added protection in this area for DNS
> specifically over FW-1), while the border routers allow DNS queries from
> the
> net to the external-side (non-recursive) DNSs.
>
> Good Ingress rules at the border also helps strengthen the (flimsy) DNS
> ACLs
> and make it harder for people to mess with things.
>
>
> > Logs:
> >
> > Drop Internal_DNS a.root-servers.net UDP Rule16(drop
> rule)
> > domain-udp
> >
> > I have a rule that says:
> > Internal_Net DNS_Servers udp-domain,tcp-domain Accept loglong
> >
> > BUT I don't have a.root-servers.net,etc. listed in DNS_Servers. Should
> I?
> > Is this strange?
>
> Looks like the rule you have is a 'client-side' rule ie, your clients
> querying your DNS server.
>
> You also need a 'server-side' rule to allow your DNS out to the net, to
> lookup whatever it needs.
> (assuming a deny-all-outbound default rule), hence your logs say 'trying
> to
> reach the root-servers' and getting dropped.
>
> Without looking at a network diagram or the members of the groups in your
> ruleset, it's difficult to guess what you
> need to do exactly, but i hope this gives you some idea.
>
>
>
> Cheers,
>
> Chris.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
