Using DNS servers to query root servers from WAN
Kevin Darcy
kcd at chrysler.com
Tue Jun 30 23:23:36 UTC 2009
The first view matched is the one which is selected.
External clients are matching the "external" view, but they are not
allowed to recurse. Therefore they can only see the root zone and/or
whatever authoritative zones you've defined in that "include" file.
Note that the "all" view is *never* matched, since everything will have
already matched "internal" or "external" before getting that far.
The bigger security question is: why would you want arbitrary external
clients to be able to query arbitrary names through you? That makes you
an "open recursor" and ripe for cache poisoning, etc.
If you want to allow a *limited* set of clients on the other side of
your NAT to query Internet names, then add them to the "internal" view.
Optionally, change the name of the "internal" view to something which
more accurately reflects its intent, e.g. "trusted_ranges" or whatever.
- Kevin
samankaya at netscape.net wrote:
> Hi, this is my first post here and I have quite an interesting problem
> at that!
>
> I have migrated my DNS service from Debian Etch Linux to Sun Solaris 9
> running the Blastwave version of Bind9.
>
> This is a bit hard to explain but basically as default DNS setup in
> Debian, it installs root servers in which domains for which the server
> is not authoritative for get resolved. Currently the setup works fine
> from within my LAN or intranet so that any queries from
> 192.168.0.0/23 networks resolve perfectly ok as they should for WAN
> queries.
>
> My issue is that I cannot seem to do the same from the other side of
> my gateway! The gateway is NAt'ed and I've directed ports 53 for both
> tcp and udp connections to the IP of the DNS server.
>
> I have had this working before I decided to use views but now with the
> views in place something is blocking lookups for external sources.
> This is my current named.conf file:
>
> <--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the
> // structure of BIND configuration files in Debian, *BEFORE* you
> customize
> // this configuration
> file.
> //
>
> // If you are just adding zones, please do that
> in
> //etc/bind/named.conf.local
>
>
> acl internals {
> 127.0.0.0/8;
> 192.168.0.0/22;
> };
>
> include "/etc/opt/csw/bind/named.conf.options";
>
> // View for internal clients
>
> view "internal" {
> match-clients { internals; };
> allow-recursion {
> 192.168.0.0/22;
> 127.0.0.1;
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> //zone "localhost" {
> // type master;
> // file "/etc/opt/csw/bind/db.local";
> //};
>
> //zone "127.in-addr.arpa" {
> // type master;
> // file "/etc/opt/csw/bind/db.127";
> //};
>
> //zone "0.in-addr.arpa" {
> // type master;
> // file "/etc/opt/csw/bind/db.0";
> //};
>
> //zone "255.in-addr.arpa" {
> // type master;
> // file "/etc/opt/csw/bind/db.255";
> //};
>
>
> include "/etc/opt/csw/bind/named.conf.local";
>
>
> // zone "com" { type delegation-only; };
> // zone "net" { type delegation-only; };
> };
>
>
> // View for external clients
>
> view "external" {
> match-clients { any; !192.168.0.0/22; !127.0.0.1; };
> allow-recursion {
> 127.0.0.1;
> };
>
> include "/etc/opt/csw/bind/named.conf.external";
>
> };
>
> // Everyone can view root servers
>
> view "all" {
> match-clients { any; };
> allow-recursion {
> 192.168.0.0/22;
> 127.0.0.1;
> // any;
> };
>
> zone "." {
> type hint;
> file "/etc/opt/csw/bind/db.root";
> };
>
> zone "localhost" {
> type master;
> file "/etc/opt/csw/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/opt/csw/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/opt/csw/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/opt/csw/bind/db.255";
> };
>
> };
>
>
> //rndc security
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "XigPbSdF3oVRXPzax+96xA==";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> <--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
>
> I tried switching the internal zones to a generic 'all' view which can
> be seen by everybody but it didn't seem to work and I also had a go at
> allowing recursion for 'all' for the hinted zone too which again
> didn't do anything.
>
> Can anybody help me in allowing external users to be allowed to lookup
> all URLs via the hinted zone with the root.db servers file in it??
>
> And at the same time perhaps if I have left some parts (zones) open
> which I shouldn't have either to secure the system a bit better??
>
> Many thanks,
>
> Kaya
>
> ------------------------------------------------------------------------
> *An Excellent Credit Score is 750. See Yours in Just 2 Easy Steps!
> <http://pr.atwola.com/promoclk/100126575x1222377075x1201454393/aol?redir=http://www.freecreditreport.com/pm/default.aspx?sc=668072%26hmpgID=62%26bcd=JuneExcfooterNO62>*
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list