3rd party CNAMEs and open recursion
Verne Britton
verne at wvnet.edu
Mon Mar 4 20:26:48 UTC 2013
On 3/4/2013 2:45 PM, Barry Margolin wrote:
> In article <mailman.1592.1362422631.11945.bind-users at lists.isc.org>,
> Verne Britton <verne at wvnet.edu> wrote:
>
>> I have been testing and testing and either just don't see what I'm doing
>> wrong, or have a learning block :-)
>>
>> current thinking is that a open recursion DNS server is bad, so we want to
>> implement an allow-recursion clause; perhaps even make some views so our
>> local users still recurse while the general public cannot ...
>>
>> but I am running into a roadblock with our Google Apps cname:
>>
>> gmail.wvstateu.edu is a cname to ghs.google.com
>>
>> and bind wants recursion turned on in order to translate it.
>
> What's the problem?
>
> If the query comes from a local user, recursion will be allowed, and the
> CNAME will be resolved.
>
> If the query comes from a remote resolver, recursion shouldn't even be
> requested. You'll respond with the CNAME, and the remote resolver will
> then do its own lookup of that.
>
Barry asks whats my problem ...
***** it doesn't work :-) :-)
for some reason my server wants to do the CNAME resolution itself instead of just returning the CNAME alone ... perhaps I have something configured wrong. Don't know if I'm being hit with queries from other DNS servers or from end users ...
HEY ... maybe thats the answer ... perhaps all my testing and all my complaints are from staff who go home and use their campus configs at home ... and try to use the public authoritative server as their personal resolving (recursing) server ... let me see how to test that ...
anyway, here is my test named.conf
include "/etc/named-masters.conf";
// 18-feb-2013 use TRUSTED later for Recursive Resolution filter
acl "trusted" {
localhost;
129.71.0.0/16; /* WVNET network */
168.216.0.0/16; /* K12 network */
};
options {
directory "/var/named/slaves";
allow-transfer {127.0.0.1; /* loopback */
129.71.1.1; /* NameServ */
};
auth-nxdomain yes; /* respond as authoritative for everything */
transfer-format one-answer ;
notify no;
recursion no ; /* 18-feb-2013 efault=YES, adding anyway */
additional-from-auth no ; /* turn back on in VIEW when needed */
additional-from-cache no ; /* turn back on in VIEW when needed */
recursive-clients 9123 ; /* Google says default is 1k */
files 8192 ; /* bump it up from 1024 default */
/* and to match Max Sockets */
/* fixes info msgs when starting */
/* and "too many open files" msgs */
/* 10-sep-2012 double it from 4k to 8k */
tcp-clients 400; /* 6-sep-2012 bump up from the default of 100 */
/* 10-sep-2012 double it from 200 to 400 */
allow-query { any; };
allow-recursion { trusted; };
}; /* end of OPTIONS */
include "/etc/named-logging.conf";
include "/etc/named-key.conf";
view "public-2"
{
match-clients { any; };
match-destinations { any; };
// for additional-from-auth to be YES, must have recursion NO
recursion yes;
allow-recursion { trusted; };
additional-from-auth yes ;
additional-from-cache yes ;
// somewhere someone suggests each view must have its own HINTS entry
zone "." {
type hint;
file "/var/named/data/cache.dat";
};
zone "10.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "16.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "17.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "18.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "19.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "20.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "21.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "22.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "23.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "24.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "25.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "26.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "27.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "28.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "29.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "30.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "31.172.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "168.192.in-addr.arpa" {type master; file "/var/named/data/inverse-private-dummy.dat"; };
zone "2.71.129.in-addr.arpa" {
type slave;
file "wvnet2_rev.dat";
masters { stealth-source;
};
};
zone "southernwv.edu" {
type master;
file "southernwv.dat";
};
zone "wvstateu.edu" {
type master;
file "wvstateu.dat";
};
// end of view public-2
};
//
//
// end of file
and are my two test zones (if it matters):
$ORIGIN wvstateu.edu.
$TTL 86400 ; 1 day
wvstateu.edu. IN SOA nameserv.wvnet.edu. hostmaster.wvnet.edu. (
102 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
900 ; minimum (15 minutes)
)
NS nameserv3.wvnet.edu.
A 98.129.177.93
MX 10 mailfoundry
$TTL 3600 ; 1 hour
mailfoundry A 129.71.208.204
gmail CNAME ghs.l.google.com.
sso IN A 129.71.208.239
In A 65.78.203.230
IN A 129.71.208.235
;;
;; end of zone
$ORIGIN .
$TTL 86400 ; 1 day
southernwv.edu IN SOA nameserv3.wvnet.edu. hostmaster.wvnet.edu. (
7 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
900 ; minimum (15 minutes)
)
NS nameserv3.wvnet.edu.
A 67.222.2.224
MX 10 mailin1.wvnet.edu.
MX 20 mailin2.wvnet.edu.
$ORIGIN southernwv.edu.
gmail CNAME ghs.l.google.com.
sip CNAME sipdir.online.lync.com.
www A 67.222.2.224
;;
;; end of zone
my test server (its up and down a lot) is at 129.71.2.224 with these two test zones ... what I want to be able to do is:
1. serve the A records as authoritative
2. somehow handle resolutions coming at me for the CNAMEs
3. not have a public open recursive server
Verne
--------------------------------------------------------------------
Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230
Systems Support Group (in WV, call 1-800-253-1558)
West Virginia Network for FAX: (304) 293-5540
Educational Telecomputing verne at wvnet.edu
837 Chestnut Ridge Road http://myweb.wvnet.edu/~verne
Morgantown, WV 26505 http://www.wvnet.edu
More information about the bind-users
mailing list