Question About Internal Recursive Resolvers

Matus UHLAR - fantomas uhlar at fantomas.sk
Sat Oct 15 16:34:57 UTC 2022 

>>>I'm thinking about redesigning an internal DNS environment. To begin
>>>with, all internal DNS zones would reside on non-recursive servers
>>>only.
>
>>why?

On 15.10.22 12:03, Bob McDonald wrote:
>My understanding has always been that the recommendation is/was to
>separate recursive and non-recursive servers. Now I understand I'm
>talking about an INTERNAL environment and the rules have over the
>years become somewhat lax... In this case I also believe this would
>provide a more granular approach to using security features such as
>tsig keys to control updates.

This is a common misconception.

Yes, it's a good idea to separate recursive servers accessed/used by your 
clients from authoritative servers accessed/used by whole internet.

But this does NOT mean that internal/recursive servers must not, nor should 
not containt your internal zones, nor it means you should put your internal 
zones to your publicly accessible authoritative servers.

If you have own zones for your own usage, exactly the same way you have 
recursive servers, it makes rarely sense to put them to other servers than 
your internal/recursive servers, just put internal zones to internal servers.

If you are an ISP/registry/DNS provider, it makes sense to separate 
authoritative zones for your clients' domains, for all those cases your 
client move their domains somewhere else without notifying you (hell, they 
do that too often), or to be able to prepare moving domains to your servers.


>>>The question is this; do I use an internal root with pointers to the
>>>internal zones (as well as the outside DNS world) or do I include stub
>>>zones to point at the non-recursive internal servers?
>
>>stub zones, forward zones (forward with recursion bit set) or static-stub
>zones (send iterative queries to configured servers)>
>
>Again, my understanding is that forwarding would require recursion.
>Thanks for the info about stub zones etc.

forward zones - named sends recursive query to the primary servers
stub zones - named fetches NS records from primary servers and uses them for 
resolution
static-stub zones - named forwards iterative (non-recursive) requests to 
primary servers

clients accessing any of these zones must have recursion allowed and 
recursion must be enabled in BIND. 

>>>Access to the internal DNS zones would be controlled by location.
>
>>if you have recursive servers in internal network, you don't need control
>>access on auth-only servers
>
>If a non-secure client (read the next sentence...) accesses the same
>recursive server as a regular client, it will have access to the
>internal zones by default.. Therefore we need to have some sort of
>access controls in place.

and THIS is exactly the reason you SHOULD put your internal zones on your 
internal server.

>Please forgive me if my post was confusing, arrogant, or naive.

neither one.

> I'm simply trying to seek the wisdom of those on the list that have more 
>experience or different experience than myself.  Hopefully, I can gain from 
>that wisdom and we can provide a kind environment where those less educated 
>feel mentored.

that's why we are here.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

More information about the bind-users mailing list