How do Stub Zones work
Kevin Darcy
kcd at daimlerchrysler.com
Mon Aug 14 19:47:38 UTC 2000
Kelly Scroggins wrote:
> Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
>
> Kelly Scroggins wrote:
>
> > Please tell me if understand this correctly?
> >
> > If I have a stub zone to another company, and a client on my network
> > queries for a host on the stub zone, MY name server will the contact the
> > authoritative name server for that zone and resolve the name FOR the
> > client.
> >
> > In other words, the client on my network does not contact the name
> > server on the 'other zone', but instead, my name server does the work
> > FOR the client.
>
> That has nothing to do with whether the zone is "stub" or not. That has to
> do with the "allow-recursion" settings on the nameserver (the default is to
> allow recursion for all clients and zones). With recursion enabled, your
> nameserver will go and ask other nameservers about names in the zone,
> regardless of whether the zone is defined as type "stub" or "forward", or
> even if it isn't defined in your named.conf at all. If forwarding is used,
> though, it'll only ask certain *specific* nameservers about the zone;
> "stub" allows you a little more flexibility to ensure that it always asks
> the *appropriate* nameservers about the zone.
>
> Thank you Kevin,
>
> That's what I want to happen. I'm trying to
> convince some of our clients that they can let me
> use stub zones while they maintain their security.
>
> They would only need to open port 53, but would my
> name server use udp or tcp to query their name
> server?
It should fall back to TCP if UDP doesn't work.
> I have a feeling you're going to say udp.
> This is a killer with some of the companies I'm
> dealing with. Some comanies don't allow udp to
> pass into the firewall.
>
> A stub zone is just a way for the nameserver to replicate the nameserver
> information about a zone. It's like being a slave, except you don't
> replicate the *entire* zone, just the nameserver information, so you aren't
> considered "authoritative" and you don't need "allow-transfer" authority.
>
> If they used the "allow-transfer" option, they
> could increase the security aspect.
Right, but if you're comparing the security impact of a stealth slave versus a
stub, then a stub is arguably more secure, since it only replicates the SOA and
NS records, rather than the entire zone contents. And of course for more
security, there's always allow-query, which can lock out someone from even being
a stub...
- Kevin
More information about the bind-users
mailing list