date:20190211

Re: Forward zone inside a view

2019-02-11 Thread Timothe Litt

On 11-Feb-19 08:38, Roberto Carna wrote:

> The point is I have several desktops that must have access only to
> internal domains. The unique exception is they have access to
> teamviewer.com   in order to download the
> Teamviewer client and a pair of operations in this public domain.
>
(Ab)using the DNS for this is almost certainly the wrong approach,
though this sort of question comes up

frequently.

Any sufficiently motivated user can list a blacklisted domain in
HOSTS.TXT, change his DNS server

to a public one, use an IP address (obtained at home, the local internet
cafe, or elsewhere), or

use other work-arounds.

So besides being painful to set up, it's likely ineffective.  You can
clamp down on some of these with file

system or other administrative controls - but not all.  It will be a
frustrating path.

If you want (or are required) to create a walled garden, the only
effective approach is likely to be

a firewall configuration.  You can set it up to only allow traffic from
particular IP address to the permitted

ones.  And control protocols.  You can either send "not reachable" ICMP
responses, or redirect connection

attempts to a port-appropriate warning/notification service.  (e.g. a
web page, e-mail robot, etc.)

You need a process to update the firewall in the unlikely event that the
IP address of a permitted

service changes.  And if your clients get their addresses from DHCP,
you'll want to set up distinct

address pools - and possibly VLANs.

DNS is the wrong hammer for this nail. 

Whether you should hammer the nail at all is a political, not a
technical issue.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 11-Feb-19 08:38, Roberto Carna wrote:
> Dear Mathus, thanks al lot for your help.
>
> >> what is the point of running DNS server with only two hostnames allowed to
> >> resolve? 
>
> The point is I have several desktops that must have access only to
> internal domains. The unique exception is they have access to
> teamviewer.com   in order to download the
> Teamviewer client and a pair of operations in this public domain.
>
> I think if I have setup "recursion = no", if I define a forward zone
> with "type forward" and the corresponding forwarder, this option
> enable the recursion just for this defined zone.
>
> In general, my question is how to forward a public domain to a DNS
> resolver like 8.8.8.8 ???
>
> Thanks again.
>
> El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas
> (mailto:uh...@fantomas.sk>>) escribió:
>
> On 07.02.19 16:30, Roberto Carna wrote:
> >Desktops I mentioned can only access to web apps from internal
> domains, but
> >in some web apps there are links to download Teamviewer client
> software
> >from Internet. I can create a private zone "teamviewer.com
> " with all the
> >hostnames and IP's we will use, but if they change I will be in
> trouble.
> >
> >So we need to forward the query to our resolvers in order to get
> a valid
> >response.
> >
> >So I think we can use the forward option from BIND, but it
> doesn't work at
> >all as I described:
> >
> >1. "recursion no" can only be set at the top (view) level, not
> overridden
> >   at the zone level.
> >
> >2. If I set "recursion no" at the view level, then a "type forward"
> >   zone has no effect:
> >
> >  view "foo" {
> >    recursion no;
> >    ...
> >    zone "teamviewer.com " {
> >      type forward;
> >      forward only;
> >      forwarders {172.18.1.1; 172.18.1.2;};
> >    };
> >
> >-- query for foo.teamviewer.com  fails
> and tell it's not a recursive query
>
> the whole point of "recursion no" is not to answer recursive queries,
> so there should be no wonder it works that way.
>
>
> >3. If I define "recursion yes" at view level:
> >
> >  view "foo" {
> >    recursion yes;
> >    ...
> >    zone "teamviewer.com " {
> >      type forward;
> >      forward only;
> >      forwarders {172.18.1.1; 172.18.1.2;};
> >    };
> >
> >-- query for foo.teamviewer.com  is
> OK, but also I get response OK from
> >foo.ibm.com , foo.google.com
> , and any other public domain from Internet
> >(and this is not what I want, it's what I'm trying to prevent))
> >
> >So can you help me please???
>
> you still have not answered my question:
>
> >> what is the point of running DNS server with only two hostnames
> allowed to
> >> resolve?
>
> However, you can define empty type master "." zone, and bind will
> return
> NXDOMAIN for anyth

Re: Forward zone inside a view

2019-02-11 Thread Roberto Carna

Matus, I've followed whatyou say:

view "internet" {
   match-clients { internet_clients; key "pnet"; };

recursion yes;

zone "teamviewer.com" {
type forward;
forward only;
forwarders {
8.8.8.8;
};
};

};

but clients can resolve ANY public Internet domain, in addition to
teamviewer.comI think "recursion yes" apply to every public domain and
not just for "teamviewer.com", but I don't know why.

Please can yoy give me more details, using forward or not, how can let some
clients resolve just teamviewer.com ??? I confirm that my BIND is an
authorittaive name server for internal domains.

Thanks a lot again.

El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<
uh...@fantomas.sk>) escribió:

> On 11.02.19 10:38, Roberto Carna wrote:
> >Dear Mathus, thanks al lot for your help.
> >
> >>> what is the point of running DNS server with only two hostnames allowed
> >>> to resolve?
> >
> >The point is I have several desktops that must have access only to
> internal
> >domains. The unique exception is they have access to teamviewer.com  in
> >order to download the Teamviewer client and a pair of operations in this
> >public domain.
>
> if you disable recursion, any client using that server will only have
> access
> to the domains that are configured on that server internally.
>
> That also means they won't be allowed to contact any internal domains,
> unless you configure those internal domains on that server.
> Also no windows updates, nothing.
>
> >I think if I have setup "recursion = no", if I define a forward zone with
> >"type forward" and the corresponding forwarder, this option enable the
> >recursion just for this defined zone.
>
> No. Forward zone means recursion. "recursion no" is designed for
> authoritative servers, not servers like there.
>
> >In general, my question is how to forward a public domain to a DNS
> resolver
> >like 8.8.8.8 ???
>
> configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
> do resolution well without forwarding. Also, this seems to be just the
> opposite wht you describe above.
>
> >El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<
> uh...@fantomas.sk>)
> >escribió:
> >
> >> On 07.02.19 16:30, Roberto Carna wrote:
> >> >Desktops I mentioned can only access to web apps from internal domains,
> >> but
> >> >in some web apps there are links to download Teamviewer client software
> >> >from Internet. I can create a private zone "teamviewer.com" with all
> the
> >> >hostnames and IP's we will use, but if they change I will be in
> trouble.
> >> >
> >> >So we need to forward the query to our resolvers in order to get a
> valid
> >> >response.
> >> >
> >> >So I think we can use the forward option from BIND, but it doesn't
> work at
> >> >all as I described:
> >> >
> >> >1. "recursion no" can only be set at the top (view) level, not
> overridden
> >> >   at the zone level.
> >> >
> >> >2. If I set "recursion no" at the view level, then a "type forward"
> >> >   zone has no effect:
> >> >
> >> >  view "foo" {
> >> >recursion no;
> >> >...
> >> >zone "teamviewer.com" {
> >> >  type forward;
> >> >  forward only;
> >> >  forwarders {172.18.1.1; 172.18.1.2;};
> >> >};
> >> >
> >> >-- query for foo.teamviewer.com fails and tell it's not a recursive
> query
> >>
> >> the whole point of "recursion no" is not to answer recursive queries,
> >> so there should be no wonder it works that way.
> >>
> >>
> >> >3. If I define "recursion yes" at view level:
> >> >
> >> >  view "foo" {
> >> >recursion yes;
> >> >...
> >> >zone "teamviewer.com" {
> >> >  type forward;
> >> >  forward only;
> >> >  forwarders {172.18.1.1; 172.18.1.2;};
> >> >};
> >> >
> >> >-- query for foo.teamviewer.com is OK, but also I get response OK from
> >> >foo.ibm.com, foo.google.com, and any other public domain from Internet
> >> >(and this is not what I want, it's what I'm trying to prevent))
> >> >
> >> >So can you help me please???
> >>
> >> you still have not answered my question:
> >>
> >> >> what is the point of running DNS server with only two hostnames
> allowed
> >> to
> >> >> resolve?
> >>
> >> However, you can define empty type master "." zone, and bind will return
> >> NXDOMAIN for anything other.
> >>
> >>
> >> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
> >> uh...@fantomas.sk>)
> >> >escribió:
> >> >
> >> >> On 07.02.19 14:58, Roberto Carna wrote:
> >> >> >In our company we have several desktops from two different cities
> >> >> accessing
> >> >> >only to internal domains distributed in two views in a private BIND
> >> with
> >> >> >authoritative zones, where I've defined "recursion no;".
> >> >> >
> >> >> >But now we have to let them access to *.teamviewer.com hostnames,
> just
> >> >> this
> >> >> >public domain and not other.
> >> >>
> >> >> btw, when did linux.org change to teamviewer.com?
> >> >>
> >> >> >So I've implemented the forwarding of "tea

Re: Forward zone inside a view

2019-02-11 Thread Matus UHLAR - fantomas


On 11.02.19 10:38, Roberto Carna wrote:

Dear Mathus, thanks al lot for your help.


what is the point of running DNS server with only two hostnames allowed
to resolve?


The point is I have several desktops that must have access only to internal
domains. The unique exception is they have access to teamviewer.com  in
order to download the Teamviewer client and a pair of operations in this
public domain.


if you disable recursion, any client using that server will only have access
to the domains that are configured on that server internally.

That also means they won't be allowed to contact any internal domains,
unless you configure those internal domains on that server.
Also no windows updates, nothing.


I think if I have setup "recursion = no", if I define a forward zone with
"type forward" and the corresponding forwarder, this option enable the
recursion just for this defined zone.


No. Forward zone means recursion. "recursion no" is designed for
authoritative servers, not servers like there.


In general, my question is how to forward a public domain to a DNS resolver
like 8.8.8.8 ???


configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
do resolution well without forwarding. Also, this seems to be just the
opposite wht you describe above.


El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas ()
escribió:


On 07.02.19 16:30, Roberto Carna wrote:
>Desktops I mentioned can only access to web apps from internal domains,
but
>in some web apps there are links to download Teamviewer client software
>from Internet. I can create a private zone "teamviewer.com" with all the
>hostnames and IP's we will use, but if they change I will be in trouble.
>
>So we need to forward the query to our resolvers in order to get a valid
>response.
>
>So I think we can use the forward option from BIND, but it doesn't work at
>all as I described:
>
>1. "recursion no" can only be set at the top (view) level, not overridden
>   at the zone level.
>
>2. If I set "recursion no" at the view level, then a "type forward"
>   zone has no effect:
>
>  view "foo" {
>recursion no;
>...
>zone "teamviewer.com" {
>  type forward;
>  forward only;
>  forwarders {172.18.1.1; 172.18.1.2;};
>};
>
>-- query for foo.teamviewer.com fails and tell it's not a recursive query

the whole point of "recursion no" is not to answer recursive queries,
so there should be no wonder it works that way.


>3. If I define "recursion yes" at view level:
>
>  view "foo" {
>recursion yes;
>...
>zone "teamviewer.com" {
>  type forward;
>  forward only;
>  forwarders {172.18.1.1; 172.18.1.2;};
>};
>
>-- query for foo.teamviewer.com is OK, but also I get response OK from
>foo.ibm.com, foo.google.com, and any other public domain from Internet
>(and this is not what I want, it's what I'm trying to prevent))
>
>So can you help me please???

you still have not answered my question:

>> what is the point of running DNS server with only two hostnames allowed
to
>> resolve?

However, you can define empty type master "." zone, and bind will return
NXDOMAIN for anything other.


>El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
uh...@fantomas.sk>)
>escribió:
>
>> On 07.02.19 14:58, Roberto Carna wrote:
>> >In our company we have several desktops from two different cities
>> accessing
>> >only to internal domains distributed in two views in a private BIND
with
>> >authoritative zones, where I've defined "recursion no;".
>> >
>> >But now we have to let them access to *.teamviewer.com hostnames, just
>> this
>> >public domain and not other.
>>
>> btw, when did linux.org change to teamviewer.com?
>>
>> >So I've implemented the forwarding of "teamviewer.com" zone to our
BIND
>> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
created a
>> >third view with this information in named.conf.local:
>> >
>> >acl internet { 10.0.0.0/24 };
>> >
>> >view "internet" {
>> >
>> >   match-clients { internet; key "custom"; };
>> >
>> > recursion yes;
>> >
>> > zone "teamviewer.com" {
>> >
>> >type forward;
>> >
>> >forward only;
>> >
>> >forwarders {
>> >
>> >172.18.1.1;
>> >
>> >172.18.1.2;
>> >
>> >};
>> >
>> >};
>>
>>
>> >I defined "recursion yes" but the BIND servers forwards all the public
>> >domains queries to our resolvers and not just for "teamviewer.com",
so it
>> >doesn't work. And if I change for "recursion no", the query
>> >www.teamviewer.com is refused and at the client side appears an error
>> >telling that recursion is necessary.
>>
>> of course, BIND will resolve other domains (recurse) only when you
allow it
>> to recurse.
>>
>> >So I let desktops resolve all the Internet domains or neither, and
this is
>> >not what I want because I just want to let them resolve just
>> teamviewer.com.
>> >
>> >How can I do to forward only teamviewer.com zone queries to my
>> resolvers???
>>

--
Matus UHLAR - fantomas,

Re: Forward zone inside a view

2019-02-11 Thread Roberto Carna

Dear Mathus, thanks al lot for your help.

>> what is the point of running DNS server with only two hostnames allowed
to
>> resolve?

The point is I have several desktops that must have access only to internal
domains. The unique exception is they have access to teamviewer.com  in
order to download the Teamviewer client and a pair of operations in this
public domain.

I think if I have setup "recursion = no", if I define a forward zone with
"type forward" and the corresponding forwarder, this option enable the
recursion just for this defined zone.

In general, my question is how to forward a public domain to a DNS resolver
like 8.8.8.8 ???

Thanks again.

El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas ()
escribió:

> On 07.02.19 16:30, Roberto Carna wrote:
> >Desktops I mentioned can only access to web apps from internal domains,
> but
> >in some web apps there are links to download Teamviewer client software
> >from Internet. I can create a private zone "teamviewer.com" with all the
> >hostnames and IP's we will use, but if they change I will be in trouble.
> >
> >So we need to forward the query to our resolvers in order to get a valid
> >response.
> >
> >So I think we can use the forward option from BIND, but it doesn't work at
> >all as I described:
> >
> >1. "recursion no" can only be set at the top (view) level, not overridden
> >   at the zone level.
> >
> >2. If I set "recursion no" at the view level, then a "type forward"
> >   zone has no effect:
> >
> >  view "foo" {
> >recursion no;
> >...
> >zone "teamviewer.com" {
> >  type forward;
> >  forward only;
> >  forwarders {172.18.1.1; 172.18.1.2;};
> >};
> >
> >-- query for foo.teamviewer.com fails and tell it's not a recursive query
>
> the whole point of "recursion no" is not to answer recursive queries,
> so there should be no wonder it works that way.
>
>
> >3. If I define "recursion yes" at view level:
> >
> >  view "foo" {
> >recursion yes;
> >...
> >zone "teamviewer.com" {
> >  type forward;
> >  forward only;
> >  forwarders {172.18.1.1; 172.18.1.2;};
> >};
> >
> >-- query for foo.teamviewer.com is OK, but also I get response OK from
> >foo.ibm.com, foo.google.com, and any other public domain from Internet
> >(and this is not what I want, it's what I'm trying to prevent))
> >
> >So can you help me please???
>
> you still have not answered my question:
>
> >> what is the point of running DNS server with only two hostnames allowed
> to
> >> resolve?
>
> However, you can define empty type master "." zone, and bind will return
> NXDOMAIN for anything other.
>
>
> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
> uh...@fantomas.sk>)
> >escribió:
> >
> >> On 07.02.19 14:58, Roberto Carna wrote:
> >> >In our company we have several desktops from two different cities
> >> accessing
> >> >only to internal domains distributed in two views in a private BIND
> with
> >> >authoritative zones, where I've defined "recursion no;".
> >> >
> >> >But now we have to let them access to *.teamviewer.com hostnames, just
> >> this
> >> >public domain and not other.
> >>
> >> btw, when did linux.org change to teamviewer.com?
> >>
> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
> BIND
> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
> created a
> >> >third view with this information in named.conf.local:
> >> >
> >> >acl internet { 10.0.0.0/24 };
> >> >
> >> >view "internet" {
> >> >
> >> >   match-clients { internet; key "custom"; };
> >> >
> >> > recursion yes;
> >> >
> >> > zone "teamviewer.com" {
> >> >
> >> >type forward;
> >> >
> >> >forward only;
> >> >
> >> >forwarders {
> >> >
> >> >172.18.1.1;
> >> >
> >> >172.18.1.2;
> >> >
> >> >};
> >> >
> >> >};
> >>
> >>
> >> >I defined "recursion yes" but the BIND servers forwards all the public
> >> >domains queries to our resolvers and not just for "teamviewer.com",
> so it
> >> >doesn't work. And if I change for "recursion no", the query
> >> >www.teamviewer.com is refused and at the client side appears an error
> >> >telling that recursion is necessary.
> >>
> >> of course, BIND will resolve other domains (recurse) only when you
> allow it
> >> to recurse.
> >>
> >> >So I let desktops resolve all the Internet domains or neither, and
> this is
> >> >not what I want because I just want to let them resolve just
> >> teamviewer.com.
> >> >
> >> >How can I do to forward only teamviewer.com zone queries to my
> >> resolvers???
> >>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Eagles may soar, but weasels don't get sucked into jet engines.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubs

Re: Forward zone inside a view

Re: Forward zone inside a view

Re: Forward zone inside a view

Re: Forward zone inside a view

4 matches

Site Navigation

Mail list logo

Footer information