Disable recursion externally, allow internally

Thu Apr 27 20:53:10 UTC 2006

milney_boy wrote:

>Hello,
>
>I'm trying to set up a BIND (version 9.2 i think) server to host DNS
>for my domains.  I have set up a RHEL server with a public IP address
>and am now confguring BIND.
>
>As background info, my resolv.conf file has one "nameserver
>xxx.xxx.xxx.xxx" line, where xxx.xxx.xxx.xxx is the public IP address
>that I have given the server (I am not using NAT for this).
>
>I want to set up BIND to allow recursive queries when I do internal
>nslookups, but to not when a query comes from anywhere else.
>
>I have tried views, to split the named.conf and specify an "internal"
>view where:
>
>match-clients { localhost; };
>recursion yes;
>
>and an "external" view where:
>
>match-clients { any; };
>recursion no;
>
>This appears to work as a query from another server appears to not
>return a recursive result, whereas a local nslookup does resolve.
>However, as I have listed my domains in the "external" view so that
>they will be resolved correctly on the internet, it appears that they
>no longer resolve from an internal query.
>
>I don't want to have to list all my domains twice; once in the
>internal, once in the external though.  I also think it is causing
>problems with nsupdate as i get a message ";;connection timed out. no
>servers could be reached" when trying to update one of the domains
>listed in the "external" view (i have specified allow-update{ any; };).
>
Why oh why would you have "allow-update { any; };" on an *external* zone?

The zone isn't called "hack-me-baby", by any chance, is it?

In any case, another poster suggested views with the old "include" 
trick, but that isn't going to work as it normally does if Dynamic 
Update is involved, since you don't want the same file being overwritten 
by Dynamic Updates from different views. That's a recipe for 
corruption/munging. Perhaps you could play around with using different 
directory options in their respective views, and relative pathnames 
(???). Dunno, never tried it.

>
>I have tried to use "allow-recursion { localhost; };" as this should
>solve my problem in theory, but in practice it does not work as it
>still allows external recursive queries.
>
That should work. Bear in mind, that "localhost" is not just 127.0.0.1 
however. It's all of the local interfaces. So if you were expecting it 
to mean only 127.0.0.1 and tested from some other interface on the same 
box, you might not have gotten the results you expected. You might want 
to try it again and test from a truly *external* client.

Bear in mind, however, that if you're trying to avoid implementing views 
solely with "allow-recursion" controls, that "allow-recursion" only 
restricts *recursion*: if you happen to have an answer in your cache, 
and someone whom you aren't allowing to recurse, queries it, in the 
absence of any other restrictions you're going to give them the answer 
(recursion wasn't necessary to fetch it, only cache-retrieval). So this 
quirk can be used by hostile clients to "snoop" on the contents of your 
cache, which might give them some idea of what websites your users are 
visiting etc. If you want to restrict access to your cache as well as to 
your recursive facilities, then you'd need to look at implementing 
views, or at the very least, "allow-query" controls instead of or in 
conjunction with "allow-recursion".

                                       - Kevin