Stub zones, but secndary?
Peter
pmc at citylink.dinoex.sub.org
Mon Nov 20 00:00:12 UTC 2023
On Sun, Nov 19, 2023 at 09:10:13PM +0000, Elmar K. Bins wrote:
! my freshly recrafted DNS servers got the latest BIND 9.18 pkg from FreeBSD.
! They're all supposed to only respond for a certain set of zones to the outside,
! but should be able to be used as a resolver from localhost.
!
! The pkg comes with a default config that slaves "." and its cousins instead
! of pushing a static hints file. I like this.
Me too. :)
! Unfortunately, the config just has them as slave zones, without a "hint"
! marking. Anybody can query the box for them. I don't like this.
It's tricky. One problem is these are slave zones, they are
authoritative and do not work well with DNSSEC.
So I crafted something that does apparently work...
view "rootslave" {
match-clients { 127.0.0.2/32; };
allow-query-cache { none; }; // von ARM example
allow-recursion { none; };
recursion no;
zone "." {
type slave;
masters {
// the usual root servers...
// etc.etc.
view "intraslave" {
match-clients { 127.0.0.3/32; key "slave2."; };
allow-query-cache { none; }; // von ARM example
allow-recursion { none; };
recursion no;
zone "example.com" { // internal version of my public domain
// looks a little different than public version
type slave; // comes from hidden primary
// etc.etc.
zone "intranet.example.com" { // my lan domain
type slave;
// etc. etc.
// The outside authoritative stuff - but not yet serving it from here!
view "extraslave" {
match-clients { key "slave2a."; }; // slave2a. is for notify
// from hidden primary
allow-query-cache { none; }; // von ARM example
allow-recursion { none; };
recursion no;
zone "example.com" { // These are the zones I'm autoritative for
type slave; // fetched from hidden primary
// this must be placed here, and NOT in this view!
allow-query { any; };
// etc.etc.
// Now wiring it all together:
view "guest" {
// for local machines that can use my internet but are NOT
// allowed into my lan (currently none exist)
match-clients { none; };
// bring the root stuff in
zone "." {
type static-stub;
server-addresses { 127.0.0.2; } ;
};
zone "arpa" {
type static-stub;
server-addresses { 127.0.0.2; } ;
};
// etc.etc.
// include localhost and empty zones
include "/usr/local/etc/namedb/named.localempty.conf";
include "/usr/local/etc/namedb/named.localempty-e.conf";
}
// Serving the Intra-net:
view "intra" {
dnstap { all; };
match-clients { 127.0.0.1/32;
::1/128;
192.168.0.0/16;
fd00::/8;
// etc.etc. - all the locally used IP
};
// bring the root stuff in
zone "." {
in-view "guest";
};
zone "arpa" {
in-view "guest";
};
// etc.etc.
zone "example.com" { // internal view of public domain!
type static-stub;
server-addresses { 127.0.0.3; } ;
};
// lan domain
zone "intranet.example.com" {
type static-stub;
server-addresses { 127.0.0.3; } ;
};
// etc.etc.
// localhost and empty zones
include "/usr/local/etc/namedb/named.localempty.conf";
}
// And finally outbound authoritative, i.e. the stuff for all internet
view "external" {
match-clients { any; } ;
allow-query-cache { none; }; # von ARM example
allow-recursion { none; };
recursion no;
zone "example.com" {
in-view "extraslave";
};
// etc.etc.
// here we must NOT refer to the slave rootzones!
// (not sure if this is needed at all)
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
// localhost and empty zones (shouldn't harm)
include "/usr/local/etc/namedb/named.localempty.conf";
include "/usr/local/etc/namedb/named.localempty-e.conf";
};
! I've put the appropriate "allow-query { localhost; };" into every friggin'
! zone entryto every friggin' zone entry. I REALLY don't like this.
!
! I'm wondering whether there's a more elegant way. Like "secondary-hint" zones.
! Have I overlooked something?
Maybe. As You can see, it can be done, but it's a bit weird -
I got the fancy that I want to have all six-way in one running image. ;)
(Originally I just got bored of the SSH known-host files, and to get
rid of these you need DANE/SSHFP and proper DNSSEC.)
cheerio,
Peter
More information about the bind-users
mailing list