Forward zone inside a view
Matus UHLAR - fantomas
uhlar at fantomas.sk
Sat Feb 9 15:27:56 UTC 2019
On 07.02.19 16:30, Roberto Carna wrote:
>Desktops I mentioned can only access to web apps from internal domains, but
>in some web apps there are links to download Teamviewer client software
>from Internet. I can create a private zone "teamviewer.com" with all the
>hostnames and IP's we will use, but if they change I will be in trouble.
>
>So we need to forward the query to our resolvers in order to get a valid
>response.
>
>So I think we can use the forward option from BIND, but it doesn't work at
>all as I described:
>
>1. "recursion no" can only be set at the top (view) level, not overridden
> at the zone level.
>
>2. If I set "recursion no" at the view level, then a "type forward"
> zone has no effect:
>
> view "foo" {
> recursion no;
> ...
> zone "teamviewer.com" {
> type forward;
> forward only;
> forwarders {172.18.1.1; 172.18.1.2;};
> };
>
>-- query for foo.teamviewer.com fails and tell it's not a recursive query
the whole point of "recursion no" is not to answer recursive queries,
so there should be no wonder it works that way.
>3. If I define "recursion yes" at view level:
>
> view "foo" {
> recursion yes;
> ...
> zone "teamviewer.com" {
> type forward;
> forward only;
> forwarders {172.18.1.1; 172.18.1.2;};
> };
>
>-- query for foo.teamviewer.com is OK, but also I get response OK from
>foo.ibm.com, foo.google.com, and any other public domain from Internet
>(and this is not what I want, it's what I'm trying to prevent))
>
>So can you help me please???
you still have not answered my question:
>> what is the point of running DNS server with only two hostnames allowed to
>> resolve?
However, you can define empty type master "." zone, and bind will return
NXDOMAIN for anything other.
>El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<uhlar at fantomas.sk>)
>escribió:
>
>> On 07.02.19 14:58, Roberto Carna wrote:
>> >In our company we have several desktops from two different cities
>> accessing
>> >only to internal domains distributed in two views in a private BIND with
>> >authoritative zones, where I've defined "recursion no;".
>> >
>> >But now we have to let them access to *.teamviewer.com hostnames, just
>> this
>> >public domain and not other.
>>
>> btw, when did linux.org change to teamviewer.com?
>>
>> >So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>> >third view with this information in named.conf.local:
>> >
>> >acl internet { 10.0.0.0/24 };
>> >
>> >view "internet" {
>> >
>> > match-clients { internet; key "custom"; };
>> >
>> > recursion yes;
>> >
>> > zone "teamviewer.com" {
>> >
>> > type forward;
>> >
>> > forward only;
>> >
>> > forwarders {
>> >
>> > 172.18.1.1;
>> >
>> > 172.18.1.2;
>> >
>> > };
>> >
>> >};
>>
>>
>> >I defined "recursion yes" but the BIND servers forwards all the public
>> >domains queries to our resolvers and not just for "teamviewer.com", so it
>> >doesn't work. And if I change for "recursion no", the query
>> >www.teamviewer.com is refused and at the client side appears an error
>> >telling that recursion is necessary.
>>
>> of course, BIND will resolve other domains (recurse) only when you allow it
>> to recurse.
>>
>> >So I let desktops resolve all the Internet domains or neither, and this is
>> >not what I want because I just want to let them resolve just
>> teamviewer.com.
>> >
>> >How can I do to forward only teamviewer.com zone queries to my
>> resolvers???
>>
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
More information about the bind-users
mailing list