Re: DNS Recursion
On Wed, 2005-09-14 at 21:22 -0400, Benjamin Scott wrote: If I understand you correctly: You did. allow-recursion is not the best choice for this. In the above, BIND will still attempt to answer queries, it just won't perform recursion to do so. In particular, the cache is still available. See problem statement, above. Interesting.. I have apparently mis-understood the allow-recursion option for many years. That should do it, I believe. That did it. It does exactly what I want the way I wanted it. References: Secure BIND Template http://www.cymru.com/Documents/secure-bind-template.html This is a really good read (so far, I haven't finished it yet) for anyone that is interested. BIND Administrator Reference Manual (included in BIND distribution) Yeah, read that. Got a headache. :-) Thanks, Kenny signature.asc Description: This is a digitally signed message part
Re: DNS Recursion
On 9/14/05, Kenneth E. Lussier [EMAIL PROTECTED] wrote:
Hi All,I'm using BIND8 (8.4.6) as an external name server. I want to also useit as the name server for my external boxes. However, I can't seem toget recursion to work correctly.If I use `allow-recursion {none; };` then dns lookups for my local zones
works fine, but the external boxes can't use it to look up otherdomains.If I use `allow-recursion { any; };` then anyone can use it as a DNSserver.I tried `allow-recursion { x.x.x.x; };` (x.x.x.x
= external NAT IPaddress), but the query was denied with:named[2692]: denied recursion for query from [x.x.x.x].24684 forwww.google.com INI have also tried setting up acl external {}; with the ip addresses of
the external hosts and using `allow-recursion { external; };`. This isalso denied.Is recursion an all or nothing option? I thought that it could take acloptions. Any thoughts?Thanks,Kenny
-BEGIN PGP SIGNATURE-Version: GnuPG v1.2.3 (GNU/Linux)iD8DBQBDKEMGkqgbyiViKQ0RAigZAJ9K7J+04GYHxwSx5aeR0Krulf6zGQCglm0AGTNZ+Etb+cmFzqMCntU7zzU==Jaou-END PGP SIGNATURE-
Simplest thing I've done to guard from that is to use the allow query stanza...
allow-query {
// Only let mine see.
192.168.1.0/24;
};
You can use that globally, or if you're also using it to host other domains you can use
allow-query {
// anyone can see this domain.
any;
};
from within the domain setup.
It's worked for me, at any rate ;-)
Re: DNS Recursion
On Sep 14, 2005, at 11:34, Kenneth E. Lussier wrote:
I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP
address), but the query was denied with:
named[2692]: denied recursion for query from [x.x.x.x].24684 for
www.google.com IN
I'd expect the source of the UDP packet to be the originating host, not
the IP of the NAT, unless you're doing port forwarding. Maybe I don't
understand the network setup fully - can you diagram with whatever
level of obfuscation is required?
I have also tried setting up acl external {}; with the ip addresses of
the external hosts and using `allow-recursion { external; };`. This is
also denied.
That's supposed to work.
-Bill
-
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
[EMAIL PROTECTED] Mobile: 603.252.2606
http://www.bfccomputing.com/Pager: 603.442.1833
Jabber: [EMAIL PROTECTED] Text: [EMAIL PROTECTED]
RSS: http://blog.bfccomputing.com/rss
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: DNS Recursion
On Sep 14 at 11:34am, Kenneth E. Lussier wrote:
I'm using BIND8 (8.4.6) as an external name server. I want to also use it
as the name server for my external boxes. However, I can't seem to get
recursion to work correctly.
If I understand you correctly:
You have a nameserver which is authorative for one or more zones. You want
the nameserver to answer queries about those zones, regardless of where the
query came from. You also want the nameserver to attempt to answer queries in
general, but only when the queries come from specific network(s).
Note that recusion doesn't enter into the above problem statement; that'll
become important in a second. :)
For the sake of discussion, let's say 192.0.2.0/24 is the network you want
to provide full service for. We will call this your trusted network.
Let's also say the zone you are claiming authority for is example.com.
I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP
address), but the query was denied with:
named[2692]: denied recursion for query from [x.x.x.x].24684 for
www.google.com IN
allow-recursion is not the best choice for this. In the above, BIND will
still attempt to answer queries, it just won't perform recursion to do so.
In particular, the cache is still available. See problem statement, above.
So, the better choice is allow-query. First, define an ACL, like you
mentioned:
acl trusted {
192.0.2.0/24;
127.0.0.1;
};
Next, in the global scope, allow queries from your trusted network. This
will implictly block queries not from your trusted network:
options {
// ...
allow-query {
trusted;
};
};
Finally, in the zones you are claiming authority for, make an exception to
that global deny untrusted policy:
zone example.com {
// ...
allow-query {
any;
};
};
That should do it, I believe.
References:
Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html
BIND Administrator Reference Manual
(included in BIND distribution)
--
Ben [EMAIL PROTECTED]
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
