Resolving locally hosted zones to trusted clients
Kevin Darcy
kcd at daimlerchrysler.com
Thu Oct 28 22:42:33 UTC 2004
You need to slave or stub the relevant zone(s) in the internal view. If
you decide to slave them, don't forget the also-notify's on the master
to speed up change propagation!
- Kevin
Matt Goli wrote:
>Greetings all:
>
>I've setup a public BIND 9.2.2 server to host a number of zones for our
>companies domains based on Rob Thomas's "Secure BIND Template"
>http://www.cymru.com/Documents/secure-bind-template.html.
>
>I have one view (external-in) setup to allow any device to query the
>public domains from this BIND server and am not allowing recursive
>lookups from public IPs. I have a second view (internal-in) setup that
>performs recursive lookups for a ACL of "trusted" IP addresses, and
>that is working as expected. My problem comes in when trusted IP
>addresses attempt to query a zone out of my "external-in" view. I
>simply get a "connection timed out; no servers could be reached" when I
>dig from the trusted IP addresses.
>
>So in summery, I can do the following from trusted ip address
>216.111.14.242:
> dig @63.238.248.3 www.google.com
>
>But cannot do:
> dig @63.238.248.3 www.krause.com
>
>But from an untrusted IP I can do:
> dig @63.238.248.3 www.krause.com
>
>Below is my named.conf file for reference. Any feedback is greatly
>appreciated.
>
>Thank you,
>
>---
>Matt Goli, MCP
>Systems Support Group
>
>F+W Publications, Inc.
>- www.fwpublications.com
>Krause Publications, a division of F+W Publications, Inc.
>- www.krause.com
>
>// Declares control channels to be used by the rndc utility.
>// It is recommended that 127.0.0.1 be the only address used.
>// This also allows non-privileged users on the local host to manage
>// your name server.
>//
>acl "xfer" {
> // ALlow no transfers. If we have other name servers, please
>them here.
> none;
>};
>acl "trusted" {
> // Please our internal and DMZ subnets in here so that intranet
>and DMZ
> // clients may send DNS queries. This also prevents outside
>hosts from using
> // our name server as a resolver for other domains.
> 63.238.248.0/24;
> 69.28.6.0/24;
> 216.111.14.240/29;
> 63.151.151.120/29;
> 207.136.180.0/29;
> 67.129.227.184/29;
> 208.46.1.120/29;
> 65.114.186.64/28;
> 172.29.0.0/16;
> 192.168.251.0/24;
> localhost; // Self Explanatory
>};
>acl "bogon" {
> // Filter out the bogon networks. These are networks listed by
>IANA as test
> // RFC 1918, Multicast, experimental, etc. If you see DNS
>queries or updates
> // with a source address within these networks, this is likely
>of malicious
> // origin. CAUTION: If you are using RFC1918 netblocks on
>your network, remove
> // those netblocks from this list of blackhole ACLs!
>
> // ACL removed for this e-mailing.
>};
>
>key "rndc-key" {
> algorithm hmac-md5;
> secret <removed>
>};
>
>controls {
> inet 127.0.0.1 port 54 allow {any; };
> inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key";
>};
>};
>
>options {
> directory "/var/named";
> pid-file "/var/named/named.pid";
> statistics-file "/var/named/named.stats";
> dump-file "/var/named/named.dump";
> zone-statistics yes;
> notify no;
> transfer-format many-answers;
> max-transfer-time-in 60;
> interface-interval 0;
> recursion false;
> version "Unknown";
> allow-transfer {
> // Zone transfers limited to members of "xfer" ACL.
> xfer;
> };
>
> allow-query {
> // Accept queries from our "trusted" ACL." We will
>allow anyone to query
> // our master zones below. This prevents us from
>becoming a free DNS server
> // to the masses.
> trusted;
> };
>
> blackhole {
> // Deny anything from the bogon networks as details in
>the "bogon" ACL.
> bogon;
> };
>
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
>};
>
>logging {
> channel _default_log {
> file "/Library/Logs/named.log";
> severity debug;
> print-time yes;
> };
>
> channel audit_log {
> // Send the security related messages to a seperate
>file.
> file "/Library/Logs/named_audit.log";
> severity debug;
> print-time yes;
> };
>
> category default { _default_log; };
> category general { _default_log; };
> category security { _default_log; audit_log; };
> category config { _default_log; };
> category resolver { audit_log; };
> category xfer-in { audit_log; };
> category xfer-out { audit_log; };
> category notify { audit_log; };
> category client { audit_log; };
> category network { audit_log; };
> category update { audit_log; };
> category queries { audit_log; };
> category lame-servers { audit_log; };
>};
>
>view "internal-in" in {
> // Our internal (trusted) view. We permit the internal networks
> // to freely access this view. We perform recursion for our
> // internal hosts, and retrieve data from the cache for them.
>
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> // Link in the root server hint file.
> type hint;
> file "named.ca";
> };
>
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "named.local";
> allow-update { none; };
> };
> zone "251.168.192.in-addr.arpa" IN {
> type slave;
> file "251.168.192.in-addr.arpa.bak";
> masters { 172.29.10.21; };
> };
>};
>
>// Create a view for external DNS clients.
>view "external-in" in {
> // Our external (untrustet) view. We permit any client oto
>access
> // portions of this view. We do not perform recursion or cache
> // access for hosts using this view.
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> zone "." in {
> // Link in the root server hint file.
> type hint;
> file "named.ca";
> };
> zone "fwpubs.com" IN {
> type slave;
> file "fwpubs.com.bak";
> masters { 172.29.10.21; };
> allow-query { any; };
> };
> zone "krause.com" IN {
> type slave;
> file "krause.com.bak";
> masters { 172.29.10.21; };
> allow-query { any; };
> };
>};
>
>
>
>
>
>
>
More information about the bind-users
mailing list