DNS Server Host's Network DNS Settings

Steven Stromer filter at stevenstromer.com
Mon Dec 24 03:24:50 UTC 2007 

Niall and Kevin,

Thank you both for your exceptionally well-crafted and informative
responses. Due to my company's limited resources, I have had to
configure our two BIND servers to provide both full recursion for LAN
(inside view) queries, and authoritative services for queries
originating from the internet (outside view), porting those queries
through our firewall and using the option 'query-source address
[internal_ip] port 53'. I am sure that this would make the hair on
the necks of some BIND administrators stand on end, but, each view
has been carefully configured according to the same rules as would be
applied to separated services:

view "inside" {

	# Limit access to internal IP addresses
	match-clients { localnets; localhost; "admirallan"; };	
	
	# Redundant to above, but added comfort	
	allow-query { "admirallan"; };

	# Allow internal clients to request DNS for domains not managed by
this server
	recursion yes;
		
	# Redundant to above, but added comfort	
	allow-recursion { "admirallan"; };

	...

};

view "outside" {

	# Accept requests from all external IP addresses
	match-clients { any; };

	# Do not provide general DNS services for outside parties
	recursion no;

	...

};

This arrangement has worked alright for us for years, now. I describe
all of this because Niall wisely recommends using different
approaches to each type of configuration. Due to the fact that the
BIND hosts in question are members of the 'inside' view (as per the
acl), their queries are answered when using 127.0.0.1. Please let me
know if you see anything outlandish in my approach!

Thanks again,
Steven Stromer


On Dec 21, 2007, at 6:21 PM, Niall O'Reilly wrote:


>
> On 21 Dec 2007, at 19:58, Steven Stromer wrote:
>
>
>> This is probably a naive question, but what, if any relationship
>> do the
>> DNS settings of the host have to the BIND server that the host is
>> hosting?
>>
>
> 	IMHO (or even IMNSHO), this question is well worth asking,
> 	and too often left unasked.
>
> 	I'll keep this short.  If you need background, please see
> 	<http://marc.info/?l=bind-users&m=119776339525259&w=2> or read
> 	Albitz and Liu.
>
> 	On the systems where your full-function resolvers are running,
> 	it makes good sense to include 127.0.0.1 in the host system's
> 	resolver configuration so that other applications running on
> 	the same host have access to the local name server.
>
> 	On the systems where authoritative name servers are running,
> 	this approach is usually not such a good idea, as these name
> 	servers are likely to have recursion disabled, and so won't
> 	be able (as a matter of policy and configuration) to resolve
> 	general DNS queries.  The host system's resolver configuration
> 	should refer to the full-function resolvers which serve the
> 	particular network.
>
> 	The instinct is a good one which leads you to suppose that
>
>
>> the DNS never looks at the host's network settings.
>>
>
> 	I seem to recall a (fairly) recent post from Mark Andrews
> 	making a succinct recommendation against using "forwarders",
> 	but I can't find it readily in the archive.  Briefly, don't.
> 	
>
> 	Best regards,
>
> 	Niall O'Reilly
> 	University College Dublin IT Services
>
> 	PGP key ID: AE995ED9 (see www.pgp.net)
> 	Fingerprint: 23DC C6DE 8874 2432 2BE0 3905 7987 E48D AE99 5ED9
>
>

More information about the bind-users mailing list