Allowing recursion for just specific zones
Brian Candler
B.Candler at pobox.com
Tue May 11 08:21:36 UTC 2010
On Mon, May 10, 2010 at 11:54:57AM -0700, Chris Buxton wrote:
> One strategy would be to set up a view that matches recursive queries
> only. Set allow-query to none at the view, then set it any (or
> whatever) in each zone of type forward or stub.
Thank you Chris.
Unfortunately, allow-query is rejected in forward zones. The error is
explicit:
option 'allow-query' is not allowed in 'forward' zone 'example.com'
The 9.2.4 ARM doesn't make this clear, but the 9.4.2 ARM does show a
restricted grammar for forward zones:
zone zone_name [class] {
type forward;
[ forward (only|first) ; ]
[ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
[ delegation-only yes_or_no ; ]
};
> Or if you want to use your root zone idea, make sure to populate it
> with delegations to the domains that should resolve.
Interesting. It seems to work even if I just delegate to 'localhost',
without having to hardcode the real NS RRs for the zone. That seems like a
bit of a frig though, which may confuse people maintaining it. And ideally
I'd prefer a REFUSED response to NXDOMAIN.
> I'm not sure if the match-recursive statement existed in 9.2. You may
> need to upgrade to something current.
There is "match-recursive-only" (boolean). Does that match queries with the
RD flag set? If so it won't make a difference here, because all the clients
are dumb endpoints which will set RD always.
The application, by the way, is supporting a network of kiosk-like
terminals. They run some third-party applications which need to make
external access to certain services across the Internet. Of course, the
firewall only lets them make connections to specific hosts/ports they need.
However I want to give a similar level of control for DNS lookups too;
otherwise, in the event of a virus infection, the virus could use the DNS as
a covert channel.
Regards,
Brian.
More information about the bind-users
mailing list