Forward zone inside a view
Roberto Carna
robertocarna36 at gmail.com
Mon Feb 11 14:05:30 UTC 2019
Matus, I've followed whatyou say:
view "internet" {
match-clients { internet_clients; key "pnet"; };
recursion yes;
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
8.8.8.8;
};
};
};
but clients can resolve ANY public Internet domain, in addition to
teamviewer.com....I think "recursion yes" apply to every public domain and
not just for "teamviewer.com", but I don't know why.
Please can yoy give me more details, using forward or not, how can let some
clients resolve just teamviewer.com ??? I confirm that my BIND is an
authorittaive name server for internal domains.
Thanks a lot again.
El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<
uhlar at fantomas.sk>) escribió:
> On 11.02.19 10:38, Roberto Carna wrote:
> >Dear Mathus, thanks al lot for your help.
> >
> >>> what is the point of running DNS server with only two hostnames allowed
> >>> to resolve?
> >
> >The point is I have several desktops that must have access only to
> internal
> >domains. The unique exception is they have access to teamviewer.com in
> >order to download the Teamviewer client and a pair of operations in this
> >public domain.
>
> if you disable recursion, any client using that server will only have
> access
> to the domains that are configured on that server internally.
>
> That also means they won't be allowed to contact any internal domains,
> unless you configure those internal domains on that server.
> Also no windows updates, nothing.
>
> >I think if I have setup "recursion = no", if I define a forward zone with
> >"type forward" and the corresponding forwarder, this option enable the
> >recursion just for this defined zone.
>
> No. Forward zone means recursion. "recursion no" is designed for
> authoritative servers, not servers like there.
>
> >In general, my question is how to forward a public domain to a DNS
> resolver
> >like 8.8.8.8 ???
>
> configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
> do resolution well without forwarding. Also, this seems to be just the
> opposite wht you describe above.
>
> >El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<
> uhlar at fantomas.sk>)
> >escribió:
> >
> >> On 07.02.19 16:30, Roberto Carna wrote:
> >> >Desktops I mentioned can only access to web apps from internal domains,
> >> but
> >> >in some web apps there are links to download Teamviewer client software
> >> >from Internet. I can create a private zone "teamviewer.com" with all
> the
> >> >hostnames and IP's we will use, but if they change I will be in
> trouble.
> >> >
> >> >So we need to forward the query to our resolvers in order to get a
> valid
> >> >response.
> >> >
> >> >So I think we can use the forward option from BIND, but it doesn't
> work at
> >> >all as I described:
> >> >
> >> >1. "recursion no" can only be set at the top (view) level, not
> overridden
> >> > at the zone level.
> >> >
> >> >2. If I set "recursion no" at the view level, then a "type forward"
> >> > zone has no effect:
> >> >
> >> > view "foo" {
> >> > recursion no;
> >> > ...
> >> > zone "teamviewer.com" {
> >> > type forward;
> >> > forward only;
> >> > forwarders {172.18.1.1; 172.18.1.2;};
> >> > };
> >> >
> >> >-- query for foo.teamviewer.com fails and tell it's not a recursive
> query
> >>
> >> the whole point of "recursion no" is not to answer recursive queries,
> >> so there should be no wonder it works that way.
> >>
> >>
> >> >3. If I define "recursion yes" at view level:
> >> >
> >> > view "foo" {
> >> > recursion yes;
> >> > ...
> >> > zone "teamviewer.com" {
> >> > type forward;
> >> > forward only;
> >> > forwarders {172.18.1.1; 172.18.1.2;};
> >> > };
> >> >
> >> >-- query for foo.teamviewer.com is OK, but also I get response OK from
> >> >foo.ibm.com, foo.google.com, and any other public domain from Internet
> >> >(and this is not what I want, it's what I'm trying to prevent))
> >> >
> >> >So can you help me please???
> >>
> >> you still have not answered my question:
> >>
> >> >> what is the point of running DNS server with only two hostnames
> allowed
> >> to
> >> >> resolve?
> >>
> >> However, you can define empty type master "." zone, and bind will return
> >> NXDOMAIN for anything other.
> >>
> >>
> >> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
> >> uhlar at fantomas.sk>)
> >> >escribió:
> >> >
> >> >> On 07.02.19 14:58, Roberto Carna wrote:
> >> >> >In our company we have several desktops from two different cities
> >> >> accessing
> >> >> >only to internal domains distributed in two views in a private BIND
> >> with
> >> >> >authoritative zones, where I've defined "recursion no;".
> >> >> >
> >> >> >But now we have to let them access to *.teamviewer.com hostnames,
> just
> >> >> this
> >> >> >public domain and not other.
> >> >>
> >> >> btw, when did linux.org change to teamviewer.com?
> >> >>
> >> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
> >> BIND
> >> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
> >> created a
> >> >> >third view with this information in named.conf.local:
> >> >> >
> >> >> >acl internet { 10.0.0.0/24 };
> >> >> >
> >> >> >view "internet" {
> >> >> >
> >> >> > match-clients { internet; key "custom"; };
> >> >> >
> >> >> > recursion yes;
> >> >> >
> >> >> > zone "teamviewer.com" {
> >> >> >
> >> >> > type forward;
> >> >> >
> >> >> > forward only;
> >> >> >
> >> >> > forwarders {
> >> >> >
> >> >> > 172.18.1.1;
> >> >> >
> >> >> > 172.18.1.2;
> >> >> >
> >> >> > };
> >> >> >
> >> >> >};
> >> >>
> >> >>
> >> >> >I defined "recursion yes" but the BIND servers forwards all the
> public
> >> >> >domains queries to our resolvers and not just for "teamviewer.com",
> >> so it
> >> >> >doesn't work. And if I change for "recursion no", the query
> >> >> >www.teamviewer.com is refused and at the client side appears an
> error
> >> >> >telling that recursion is necessary.
> >> >>
> >> >> of course, BIND will resolve other domains (recurse) only when you
> >> allow it
> >> >> to recurse.
> >> >>
> >> >> >So I let desktops resolve all the Internet domains or neither, and
> >> this is
> >> >> >not what I want because I just want to let them resolve just
> >> >> teamviewer.com.
> >> >> >
> >> >> >How can I do to forward only teamviewer.com zone queries to my
> >> >> resolvers???
> >> >>
> >>
> >> --
> >> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> >> Warning: I wish NOT to receive e-mail advertising to this address.
> >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> >> Eagles may soar, but weasels don't get sucked into jet engines.
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> >> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >>
>
> >_______________________________________________
> >Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> >bind-users mailing list
> >bind-users at lists.isc.org
> >https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> The early bird may get the worm, but the second mouse gets the cheese.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190211/f6568a78/attachment-0001.html>
More information about the bind-users
mailing list