forward zone

[Frédéric Lochon]

Le 27/10/2018 à 14:13, Matus UHLAR - fantomas a écrit :
>
> On 27.10.18 13:53, Frédéric Lochon wrote:
>> This is what I wanted to do. But allow-query and allow-recursion are 
>> not allowed inside a zone of type forward.
>
> aha. I haven't looked at possibbility of allow-recursion for "type 
> forward"
> zone. allow-query still seems to be supported, even if it ouldn't 
> forward...
>

allow-query is not allowed, at least on my BIND:

Oct 27 14:18:49 named[4703]: /etc/bind/named.conf:186: option 
'allow-query' is not allowed in 'forward' zone '.......'

allow-recursion can only exist in "options" section, but that's probably 
not a problem. I guess I can allow-recursion for everybody as long as 
there is an adequate allow-query option (but I still need to check this).

>> At the beginning I wanted to detect some specific DNS queries on my 
>> BIND.
>> Those queries are dummy (answers too...). It's used by some IoT 
>> devices to send "heartbeats" by using open access points with captive 
>> portal (usually, DNS queries are sent even if you don't authenticate).
>
> IoT devices in your network should have recursion allowed.
>

On my network it's OK.

But it's not OK outside. And this is what I'm trying to do: I want to 
use open access point I found in the neighborhood because my devices 
will travel all over my city.

>> So my first idea was to use BIND logging capabilities, but that's not 
>> applicable because BIND only log everything or nothing.
>>
>> So, I decided to write my own DNS server which would detect those 
>> queries, and because I have only 1 IPv4, I would let BIND forward the 
>> queries to my custom server (running on the same IP but another port).
>>
>> Thus, slaving is not possible, as queries would be seen only by BIND.
>
> because of caching by BIND, the other server would only see some of those
> queries too.
>

Only few queries per day will be sent, so I can adjust the TTL accordingly.

-- 

Frédéric Lochon