limiting external visibility - without resorting to views.

[Jim Reid]

>>>>> "Tim" == Tim Peiffer <peiffer at umn.edu> writes:

    >> Tim> I am interested in limiting the visibility of my nameservers
    >> Tim> to the extent that I do not want to answer external queries
    >> Tim> from my cache.  What are the methods of control other than
    >> Tim> allow-query, allow-recursion?

    >>  That's it. Though you could maybe do something with a firewall
    >> that can filter DNS packets from outside that happen to be
    >> queries for non-local names.

    Tim> Please elaborate on firewalling based upon DNS query content.

Well, you say you're getting unwanted queries from the outside for
www.yahoo.com. The DNS wire format means there will more than likely
be the string 3www5yahoo3com at a certain offset inside the packet. It
should be possible for a firewall to look for that string and then do
something appropriate to the corresponding packet. Most firewalls
provide GUIs or hooks to do bit/byte comparisons at offsets within
packets. I don't know or care about the details of how these tools
work.

    Tim> How does one ACL the non-local zones (that I am not
    Tim> authorative for)?

You don't. At least not explicitly. :-) How many of these zones are
you willing to insert in your named.conf file and add ACLs? What you
do is globally block everything and then unblock your local zones on a
per-zone basis. It's just a variation on the common security policy
of prohibiting everything that hasn't explicitly been approved.

    Tim> I believe it to be syntactically correct
    Tim> to create a forward zone for .com, .net. .biz, .info,
    Tim> etc. and ACL the zones, yet I seem to remember seeing
    Tim> something in the code that says that allow-query is not
    Tim> allowed for forward zones.  Are there any example
    Tim> configurations that are legal for this sort of behaviour that
    Tim> anyone is willing to share?

Well, any solution that involved forwarding is plain wrong. Forwarding
is evil, error-prone and profoundly stupid. Just look at the cruft
that would end up in your named.conf files: an administrative
nightmare. Don't use forwarding. Consult the list archives for reasons
why. In any case, forwarding is no help at all for your problem. So
going down that rathole would achieve nothing apart from making your
DNS infrastructure brittle, unstable and hard to maintain.

The ideal solution is to do what you said you planned to so: separate
the authoritative and cacheing-only servers. The authoritative servers
would have recursion switched off and be accessible to everyone. The
cacheing-only servers would have an ACL restricting access to the
local nets. For added defence, your firewall or border routers could
enforce this: block any traffic from outside going to port 53 on the
cacheing-only servers, prevent recursive queries from outside going to
the authoritative servers, etc, etc. This is clean and simple.

Until you do that, stick with global and per-zone ACLs. The global
allow-query and allow-recursion ACLs would limit access to the local
users. Then for your local zones, an allow-query ACL of any opens them
to the outside world because per-zone ACLs over-ride the global ones.

    Tim>     I average 50M/day across both of my campus servers. 

WHAT???? You've only got 2 name servers for the campus and they're
getting that sort of load??? Your DNS infrastructure needs to be
beefed up.