How do Stub Zones work

Kevin Darcy kcd at daimlerchrysler.com
Mon Aug 14 19:47:38 UTC 2000 

Kelly Scroggins wrote:

> Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
>
>    Kelly Scroggins wrote:
>
>    > Please tell me if understand this correctly?
>    >
>    > If I have a stub zone to another company, and a client on my network
>    > queries for a host on the stub zone, MY name server will the contact the
>    > authoritative name server for that zone and resolve the name FOR the
>    > client.
>    >
>    > In other words, the client on my network does not contact the name
>    > server on the 'other zone', but instead, my name server does the work
>    > FOR the client.
>
>    That has nothing to do with whether the zone is "stub" or not. That has to
>    do with the "allow-recursion" settings on the nameserver (the default is to
>    allow recursion for all clients and zones). With recursion enabled, your
>    nameserver will go and ask other nameservers about names in the zone,
>    regardless of whether the zone is defined as type "stub" or "forward", or
>    even if it isn't defined in your named.conf at all. If forwarding is used,
>    though, it'll only ask certain *specific* nameservers about the zone;
>    "stub" allows you a little more flexibility to ensure that it always asks
>    the *appropriate* nameservers about the zone.
>
> Thank you Kevin,
>
> That's what I want to happen.  I'm trying to
> convince some of our clients that they can let me
> use stub zones while they maintain their security.
>
> They would only need to open port 53, but would my
> name server use udp or tcp to query their name
> server?

It should fall back to TCP if UDP doesn't work.

> I have a feeling you're going to say udp.
> This is a killer with some of the companies I'm
> dealing with.  Some comanies don't allow udp to
> pass into the firewall.
>
>    A stub zone is just a way for the nameserver to replicate the nameserver
>    information about a zone. It's like being a slave, except you don't
>    replicate the *entire* zone, just the nameserver information, so you aren't
>    considered "authoritative" and you don't need "allow-transfer" authority.
>
> If they used the "allow-transfer" option, they
> could increase the security aspect.

Right, but if you're comparing the security impact of a stealth slave versus a
stub, then a stub is arguably more secure, since it only replicates the SOA and
NS records, rather than the entire zone contents. And of course for more
security, there's always allow-query, which can lock out someone from even being
a stub...


- Kevin

More information about the bind-users mailing list