DNS Security

Cricket Liu cricket at acmebw.com
Mon Dec 27 22:47:44 UTC 1999 

> Excuse my lack of clarity.  I will endeavour to persevere in 
> clarifying my issues.   I'm interested in maximizing security against 
> spoofing attacks.   Options are set to allow-recursion for specific 
> internal servers only and fetch-glue is set to "no."   This being the 
> case, there are several points to which I'm not totally clear:
> 
> 1.  What, if any, security advantage is obtained by not setting allow-
> query { any; }  in a particular master or slave zone ?   

Basically none.  Whether or not you allow anyone to look up
information in zones your name server is authoritative for
is a policy issue, not a security issue.  Of course, you shouldn't
delegate a zone to a name server that doesn't accept queries
from everywhere.

> 2. If allow-recursion is set for specific internal servers only, what  
> disadvantage is there to not including in a master zone  statement 
> the allow-query { any; } ?

(BTW, if you're aiming for clarity, you might want to stay away
from constructs that are basically double negatives.)

If you don't add "allow-query { any; };" as a zone substatement,
but you've set a global "allow-query" substatement in your
options statement, you can't delegate the zone to that name server.
Both Barry and Jim have explained this.

This doesn't have anything to do with "allow-recursion," though.
"allow-query" substatements control which queries you answer.
"allow-recursion" substatements control who (i.e., which IP
addresses) you perform recursion for.  You can turn off recursion
entirely while still answering queries from arbitrary remote name
servers, because remote name servers send your name server non-
recursive queries.

> I understand,  for example, if a third level domain had been
> delegated to other name servers, then a recursive inquiry for
> record information within that delegated zone 
> would only result in a reply sending them to the name servers 
> serving the delegated zone.

I'm not sure why a remote name server would be sending
you a recursive query for information in a delegated zone.

> But aside from such a limited 
> circumstance,   why else would you want recursion turned back on 
> for a particular zone  ?

You can't turn on recursion for a particular zone.  You must
be confusing the "allow-recursion" and "allow-query"
substatements.  The zone statement doesn't support an
"allow-recursion" substatement substatement.

Moreover, it wouldn't make any sense to have one.  What
would it mean for a name server to do recursive resolution
for a zone it's authoritative for?

cricket

Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.

More information about the bind-users mailing list