Re: DNS Recursion
On Wed, 2005-09-14 at 21:22 -0400, Benjamin Scott wrote: If I understand you correctly: You did. allow-recursion is not the best choice for this. In the above, BIND will still attempt to answer queries, it just won't perform recursion to do so. In particular, the cache is still available. See problem statement, above. Interesting.. I have apparently mis-understood the allow-recursion option for many years. That should do it, I believe. That did it. It does exactly what I want the way I wanted it. References: Secure BIND Template http://www.cymru.com/Documents/secure-bind-template.html This is a really good read (so far, I haven't finished it yet) for anyone that is interested. BIND Administrator Reference Manual (included in BIND distribution) Yeah, read that. Got a headache. :-) Thanks, Kenny signature.asc Description: This is a digitally signed message part
Re: DNS Recursion
On 9/14/05, Kenneth E. Lussier [EMAIL PROTECTED] wrote: Hi All,I'm using BIND8 (8.4.6) as an external name server. I want to also useit as the name server for my external boxes. However, I can't seem toget recursion to work correctly.If I use `allow-recursion {none; };` then dns lookups for my local zones works fine, but the external boxes can't use it to look up otherdomains.If I use `allow-recursion { any; };` then anyone can use it as a DNSserver.I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IPaddress), but the query was denied with:named[2692]: denied recursion for query from [x.x.x.x].24684 forwww.google.com INI have also tried setting up acl external {}; with the ip addresses of the external hosts and using `allow-recursion { external; };`. This isalso denied.Is recursion an all or nothing option? I thought that it could take acloptions. Any thoughts?Thanks,Kenny -BEGIN PGP SIGNATURE-Version: GnuPG v1.2.3 (GNU/Linux)iD8DBQBDKEMGkqgbyiViKQ0RAigZAJ9K7J+04GYHxwSx5aeR0Krulf6zGQCglm0AGTNZ+Etb+cmFzqMCntU7zzU==Jaou-END PGP SIGNATURE- Simplest thing I've done to guard from that is to use the allow query stanza... allow-query { // Only let mine see. 192.168.1.0/24; }; You can use that globally, or if you're also using it to host other domains you can use allow-query { // anyone can see this domain. any; }; from within the domain setup. It's worked for me, at any rate ;-)
Re: DNS Recursion
On Sep 14, 2005, at 11:34, Kenneth E. Lussier wrote: I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP address), but the query was denied with: named[2692]: denied recursion for query from [x.x.x.x].24684 for www.google.com IN I'd expect the source of the UDP packet to be the originating host, not the IP of the NAT, unless you're doing port forwarding. Maybe I don't understand the network setup fully - can you diagram with whatever level of obfuscation is required? I have also tried setting up acl external {}; with the ip addresses of the external hosts and using `allow-recursion { external; };`. This is also denied. That's supposed to work. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Mobile: 603.252.2606 http://www.bfccomputing.com/Pager: 603.442.1833 Jabber: [EMAIL PROTECTED] Text: [EMAIL PROTECTED] RSS: http://blog.bfccomputing.com/rss ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: DNS Recursion
On Sep 14 at 11:34am, Kenneth E. Lussier wrote: I'm using BIND8 (8.4.6) as an external name server. I want to also use it as the name server for my external boxes. However, I can't seem to get recursion to work correctly. If I understand you correctly: You have a nameserver which is authorative for one or more zones. You want the nameserver to answer queries about those zones, regardless of where the query came from. You also want the nameserver to attempt to answer queries in general, but only when the queries come from specific network(s). Note that recusion doesn't enter into the above problem statement; that'll become important in a second. :) For the sake of discussion, let's say 192.0.2.0/24 is the network you want to provide full service for. We will call this your trusted network. Let's also say the zone you are claiming authority for is example.com. I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP address), but the query was denied with: named[2692]: denied recursion for query from [x.x.x.x].24684 for www.google.com IN allow-recursion is not the best choice for this. In the above, BIND will still attempt to answer queries, it just won't perform recursion to do so. In particular, the cache is still available. See problem statement, above. So, the better choice is allow-query. First, define an ACL, like you mentioned: acl trusted { 192.0.2.0/24; 127.0.0.1; }; Next, in the global scope, allow queries from your trusted network. This will implictly block queries not from your trusted network: options { // ... allow-query { trusted; }; }; Finally, in the zones you are claiming authority for, make an exception to that global deny untrusted policy: zone example.com { // ... allow-query { any; }; }; That should do it, I believe. References: Secure BIND Template http://www.cymru.com/Documents/secure-bind-template.html BIND Administrator Reference Manual (included in BIND distribution) -- Ben [EMAIL PROTECTED] ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss