Question About Internal Recursive Resolvers
Grant Taylor
gtaylor at tnetconsulting.net
Sat Oct 15 17:50:55 UTC 2022
On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote:
> If you are an ISP/registry/DNS provider, it makes sense to separate
> authoritative zones for your clients' domains, for all those cases your
> client move their domains somewhere else without notifying you (hell,
> they do that too often), or to be able to prepare moving domains to your
> servers.
#truth
> forward zones - named sends recursive query to the primary servers
> stub zones - named fetches NS records from primary servers and
> uses them for resolution
> static-stub zones - named forwards iterative (non-recursive) requests to
> primary servers
>
> clients accessing any of these zones must have recursion allowed and
> recursion must be enabled in BIND.
Please clarify where recursion needs to be allowed; the BIND server
clients are talking to and / or the back end server that BIND is talking
to on the client's behalf.
I'm not completely clear and I think it's better to ask than to assume
incorrectly.
> On 10/15/22 10:03 AM, Bob McDonald wrote:
>> If a non-secure client (read the next sentence...) accesses the same
>> recursive server as a regular client, it will have access to the
>> internal zones by default.. Therefore we need to have some sort of
>> access controls in place.
> and THIS is exactly the reason you SHOULD put your internal zones on
> your internal server.
Sorry if I'm being particularly dense this morning, but I'm not
following ~> understanding Bob's and Matus's statements like I want to.
How does hosting the zone on an internal server provide any additional
security? Or are you simply relying on other security mechanisms to
prevent non-secure clients -- as Bob described them -- from accessing
the server ~> zone?
I feel like, by default -- as Bob described, any hosted zone is going to
be accessible by any client that can query the server.
With this in mind, I feel like the type of zone; primary / secondary /
mirror / stub / static-stub / forward, makes little difference in and of
itself. Rather, it would be dependent on global and / or per-zone
allow-* statements to protect the server / zone(s) at the BIND
application level.
Does that make sense?
What am I missing / misunderstanding?
> that's why we are here.
:-)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221015/8e7de97f/attachment.bin>
More information about the bind-users
mailing list