Using DNS servers to query root servers from WAN
samankaya at netscape.net
samankaya at netscape.net
Tue Jun 30 19:41:40 UTC 2009
Hi, this is my first post here and I have quite an interesting problem at that!
I have migrated my DNS service from Debian Etch Linux to Sun Solaris 9 running the Blastwave version of Bind9.
This is a bit hard to explain but basically as default DNS setup in Debian, it installs root servers in which domains for which the server is not authoritative for get resolved. Currently the setup works fine from within my LAN or intranet so? that any queries from 192.168.0.0/23 networks resolve perfectly ok as they should for WAN queries.
My issue is that I cannot seem to do the same from the other side of my gateway! The gateway is NAt'ed and I've directed ports 53 for both tcp and udp connections to the IP of the DNS server.
I have had this working before I decided to use views but now with the views in place something is blocking lookups for external sources. This is my current named.conf file:
<--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
// This is the primary configuration file for the BIND DNS server named.
//?????????????????????????????????????????????????????????????????????
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.???????????????????????????????????????????????
//????????????????????????????????????????????????????????????????????????
// If you are just adding zones, please do that in????????????????????????
//etc/bind/named.conf.local???????????????????????????????????????????????
acl internals {
??? 127.0.0.0/8;
??? 192.168.0.0/22;
};????????????????
include "/etc/opt/csw/bind/named.conf.options";
// View for internal clients
view "internal" {
??? match-clients { internals; };
??? allow-recursion {???????????
??????????????? 192.168.0.0/22;?
??????????????? 127.0.0.1;??????
??????????????? };??????????????
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912?????????????????????????????????????
//zone "localhost" {
//??????? type master;
//??????? file "/etc/opt/csw/bind/db.local";
//};???????????????????????????????????????
//zone "127.in-addr.arpa" {
//??????? type master;????
//??????? file "/etc/opt/csw/bind/db.127";
//};?????????????????????????????????????
//zone "0.in-addr.arpa" {
//??????? type master;??
//??????? file "/etc/opt/csw/bind/db.0";
//};???????????????????????????????????
//zone "255.in-addr.arpa" {
//??????? type master;????
//??????? file "/etc/opt/csw/bind/db.255";
//};?????????????????????????????????????
include "/etc/opt/csw/bind/named.conf.local";
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
};?????????????????????????????????????
// View for external clients
view "external" {
??? match-clients { any; !192.168.0.0/22; !127.0.0.1; };
??? allow-recursion {??????????????????????????????????
??????????????? 127.0.0.1;?????????????????????????????
??????????????? };?????????????????????????????????????
include "/etc/opt/csw/bind/named.conf.external";
};
// Everyone can view root servers
view "all" {
??? match-clients { any; };
??? allow-recursion {?????
??????????????? 192.168.0.0/22;
??????????????? 127.0.0.1;????
//????????????? any;??????????
??????????????? };????????????
??????? zone "." {
??????????????? type hint;
??????????????? file "/etc/opt/csw/bind/db.root";
??????? };
??????? zone "localhost" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.local";
??????? };
??????? zone "127.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.127";
??????? };
??????? zone "0.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.0";
??????? };
??????? zone "255.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.255";
??????? };
};
//rndc security
?key "rndc-key" {
?????? algorithm hmac-md5;
?????? secret "XigPbSdF3oVRXPzax+96xA==";
?};
?controls {
?????? inet 127.0.0.1 port 953
?????????????? allow { 127.0.0.1; } keys { "rndc-key"; };
?};
<--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
I tried switching the internal zones to a generic 'all' view which can be seen by everybody but it didn't seem to work and I also had a go at allowing recursion for 'all' for the hinted zone too which again didn't do anything.
Can anybody help me in allowing external users to be allowed to lookup all URLs via the hinted zone with the root.db servers file in it??
And at the same time perhaps if I have left some parts (zones) open which I shouldn't have either to secure the system a bit better??
Many thanks,
Kaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090630/fc615b6b/attachment.html>
More information about the bind-users
mailing list