Question About Internal Recursive Resolvers
Fred Morris
m3047 at m3047.net
Sat Oct 15 19:15:09 UTC 2022
People do the funniest things with DNS. It's a pretty good key-value
store, especially for read-heavy workloads.
Maybe you update counters for "what clients in this OT environment are
posting telemetry to this web server"? DNS wouldn't be a good choice for
that, but Redis is. But maybe you want to query for the info with the DNS;
as a bonus, DNS can offload / cache reads.
On Sat, 15 Oct 2022, Grant Taylor via bind-users wrote:
> [...]
> How does hosting the zone on an internal server provide any additional
> security? Or are you simply relying on other security mechanisms to prevent
> non-secure clients -- as Bob described them -- from accessing the server ~>
> zone?
>
> I feel like, by default -- as Bob described, any hosted zone is going to be
> accessible by any client that can query the server.
DNS is federated, meaning that a server can be both a service and a
client, which means in the use case given above that the Redis instances
can be distributed close to where the counters are updated; the DNS will
go out and collect those counters when you query them, no need to send a
constant stream of telemetry to a central location.
You probably don't want those counters accessible to every dog on the
internet. Some thought is necessary in deploying DNS servers so that
intended clients get access. (We don't usually expect DNS clients to issue
hundreds of requests per second either, but it works; you just need to
give it some thought.)
I assume that people have been doing variations on this sort of thing
since PDPs were as common as LSD in Berkely.
The usual suspects arrive: TSIG, allowed addresses, firewall rules;
site-to-site VPNs; that sort of thing. Turns out RPZ is useful as a WAF
equivalent, limiting the Redis keys which can be queried as well as the
types of allowed queries.
Here is my contribution to ensuring employment for DNS subject matter
experts:
* https://github.com/m3047/rkvdns -- DNS proxy for Redis
* https://github.com/m3047/rkvdns_examples -- examples
--
Fred Morris, internet plumber
More information about the bind-users
mailing list