Forward zone does not work when allow recursive is restrictive

Wed Feb 10 11:22:24 UTC 2021

This is very similar to what I wanted to do some time ago, but concluded 
this is not possible with bind.

But, I've modified bind in order to be able to do that anyway.
The trick was to use a "static-stub" zone with a small modification in 
bind code.

In my bind-9.16.6, I modified file query.c to look like that:

lib/ns/query.c

/*
          * Non recursive query to a static-stub zone is prohibited; its
          * zone content is not public data, but a part of local 
configuration
          * and should not be disclosed.
          */
         /*if (dns_zone_gettype(zone) == dns_zone_staticstub &&
             !RECURSIONOK(client)) {
                 return (DNS_R_REFUSED);
         }*/
         if (dns_zone_gettype(zone) == dns_zone_staticstub)
                 client->query.attributes |= NS_QUERYATTR_RECURSIONOK;

One "if" was commented to remove the check on recursion.
One "if" was added to "force" recursion.

With this modification, I turned bind to some kind of proxy for a sub-zone.
I don't really know if there are some nasty side effects, but in my case 
this is not a real problem because I don't normally use static-stub 
zones excepted for one very specific usage.

Maybe some bind expert would like to comment on this.

Frédéric Lochon.

Le 09/02/2021 à 22:44, Sebastian Neumann a écrit :
> Hey there,
>
> I am having an issue forwarding DNS queries and was hoping, that one 
> of you might be able to help me:
>
> I have the following setup:
>
> DNS-Server reachable from the internet, is authoritative for zone foo.com
> DNS-Server reachable only locally, should be authoritative for zone 
> test.lab.foo.com
> What I try to achieve:
>
> When a DNS query from the outside world reaches the first DNS server 
> for a record belonging to the zone test.lab.foo.com, I want it to make 
> a recursive request to the second DNS server and then forward the records.
>
> I explicitly don't want to do zone transfers or make the second DNS 
> server reachable from the internet.
>
> my configuration looks like this: (I only copied the [what I think] 
> important parts to here, as all the Config would be a few hundret 
> lines (because of split view and many zones)
>
> On the first DNS-Server
>
> options {
> allow-recursion {
> localnets;
> localhost;
> internal;
> my-datacenter;
> mc-office;
> };
> };
>
> zone "test.lab.foo.com" {
> forward only;
> forwarders {
> <private IP of second DNS server>;
> };
> type forward;
> };
>
> zone "foo.com" {
> file "/etc/bind/zones/foo.com.zone";
> type master;
> };
> My issue:
>
> When I am in a local network, that is whitelisted in the 
> allow-recursion block, then it works as expected. When I try the DNS 
> lookup from the internet, then i get a NOERROR with an empty response 
> back.
>
> During debugging, I adjusted the allow-recursion list and added any to 
> it. Then it was working. But I don't want my DNS server to allow any 
> kind of recursion. I actually only want "outside" lookups for this one 
> specific zones to be recursive.
>
> How can I set something like allow-recursion for just one zone?
>
> Thanks a lot already
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users