off-topic: BIND9 question - BSD

This is a discussion on off-topic: BIND9 question - BSD ; Hi Everyone, I run a nameserver for our internal network for some time now, serving the mynetwork.local domain and doing recursive lookups for the LAN clients. Soon I will need to update this nameserver to be the authoritative primary NS ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: off-topic: BIND9 question

  1. off-topic: BIND9 question

    Hi Everyone,

    I run a nameserver for our internal network for some time now, serving the
    mynetwork.local domain and doing recursive lookups for the LAN clients.
    Soon I will need to update this nameserver to be the authoritative primary
    NS for a registered ccTLD.
    The only thing I couldn't find the solution to is this:
    External requests should be served queries regarding the registered ccTLD,
    but nothing else. I want to avoid that people from external hosts use this
    machine as their nameserver.
    The allow-recursion{} option was a candidate, but the ARM says that cached
    answers from memory (e.g. those looked up earlier for the internal clients)
    will still be available for everybody.

    Any pointer to this topic somewhere or a suggestion on what to look for is
    appreciated.

    Regards,
    Keve
    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  2. Re: off-topic: BIND9 question

    On Mon, 10 Mar 2008 12:23:48 UTC, Keve Nagy
    wrote:

    > I run a nameserver for our internal network for some time now, serving the
    > mynetwork.local domain and doing recursive lookups for the LAN clients.
    > Soon I will need to update this nameserver to be the authoritative primary
    > NS for a registered ccTLD.
    > The only thing I couldn't find the solution to is this:
    > External requests should be served queries regarding the registered ccTLD,
    > but nothing else. I want to avoid that people from external hosts use this
    > machine as their nameserver.


    Are there external secondaries? If so, run yours as a hidden primary
    (i.e. no NS record for it and no delegation to it). That's how I do it.

    Have a look at the BIND book.
    --
    Bob Eager
    UNIX since v6..
    http://tinyurl.com/2xqr6h


  3. Re: off-topic: BIND9 question

    Begin <63knikF27e87uU1@mid.individual.net>
    On Mon, 10 Mar 2008 13:23:48 +0100, Keve Nagy wrote:
    [using one nameserver for both internal recursive serving and serving up
    a ccTLD as a primary]
    > External requests should be served queries regarding the registered ccTLD,
    > but nothing else. I want to avoid that people from external hosts use this
    > machine as their nameserver.


    As Bob says, a hidden master is the traditional way to do it. The
    newfangled way adds using ``views'' as an option. Running multiple
    binds in different jails may also be an option, altough that doesn't
    substitute for the multiple physical instances requirement.

    You do realize you will have to have at least one more nameserver,
    preferrably in a completely different network, don't you? This is
    blindingly obvious to competent DNS admins and required by many a TLD
    anyway, but EG. our friends from redmond very publicly failed this some
    time ago. They had their nameservers named in a different domain, but
    used four consecutive IPs to serve up their main public domain. And then
    that network dropped off the 'net. With their global presence, they
    could and should have spread all four to different corners of the world.

    Many registrars provide name servers as an extra or even a freebie, and
    some let you use your own as a master (hidden or not) with theirs as a
    secondary. Or you hit up a couple friends and do the ole you scratch my
    back, I scratch yours.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  4. Re: off-topic: BIND9 question

    On Mon, 10 Mar 2008 15:17:52 UTC, jpd
    wrote:

    > You do realize you will have to have at least one more nameserver,
    > preferrably in a completely different network, don't you? This is
    > blindingly obvious to competent DNS admins and required by many a TLD
    > anyway, but EG. our friends from redmond very publicly failed this some
    > time ago. They had their nameservers named in a different domain, but
    > used four consecutive IPs to serve up their main public domain. And then
    > that network dropped off the 'net. With their global presence, they
    > could and should have spread all four to different corners of the world.
    >
    > Many registrars provide name servers as an extra or even a freebie, and
    > some let you use your own as a master (hidden or not) with theirs as a
    > secondary. Or you hit up a couple friends and do the ole you scratch my
    > back, I scratch yours.


    I pay a company (here in the UK) 20 pounds a year for secondary DNS on
    up to 50 domains. They have three separate DNS servers, separated
    geographically and topologically. The price includes secondary MX too!

    --
    Bob Eager
    UNIX since v6..
    http://tinyurl.com/2xqr6h


  5. Re: off-topic: BIND9 question

    jpd wrote:

    > As Bob says, a hidden master is the traditional way to do it. The
    > newfangled way adds using ``views'' as an option.


    Unfortunately, neither of these actually solves the original issue. A hidden
    master doesn't do anything to stop external users, it is just not
    advertised to the public. And although an external view can have a "recurse
    no" restriction, BIND will still serve non-local requests from its cache.
    What I was really looking for is particularly the way to run a nameserver in
    a way that external queries are answered only from the local Master and
    Slave zone files, and no queries ever forwarded to the root name servers or
    any other nameserver.
    The only way I could think of to achieve this is to have completely
    different BIND instances for external and internal queries, but I was
    hoping someone here already implemeted something similar using a single
    BIND instance. I learnt that if today's inernet does not show how to do
    something, there is a pretty good reason for that. Including -very often-
    that it just cannot be done the way I want. Still, it never hurts to ask!
    :-)

    All right, so I need to do these separately. Forget the one serving internal
    LAN clients and focus only on a separate, public serving BIND only.
    To make sure that it only provides answers from its own Master and Slave
    zone files, I can imagine two configurations:
    A., use a "recurse no" restriction globally, or individually apply this to
    every view.
    B., do not configure the root zone.

    My only question left is how proper solution B is?
    Does it violate any kind of written or unwritten rule I don't know about?
    As far as I know, nothing says that a publicly available nameserver which
    has Master and Slave zone data of its own also must have the root zone
    configured. But I can be wrong, so please let me know if you know
    otherwise!
    Don't get me wrong, I am fine with solution A too, I just want to have this
    B thing confirmed. Strictly, out of interest.

    > You do realize you will have to have at least one more nameserver,


    I did. Thank you!
    The other one is 240km away geographically, and has an entirely different
    internet connection from a different provider. I found this acceptable
    enough. Still, practice may prove it later otherwise.

    Regards,
    Keve
    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  6. Re: off-topic: BIND9 question

    Begin <63n3mkF27r3ilU1@mid.individual.net>
    On Tue, 11 Mar 2008 11:02:59 +0100, Keve Nagy wrote:
    > jpd wrote:
    >> As Bob says, a hidden master is the traditional way to do it. The
    >> newfangled way adds using ``views'' as an option.

    >
    > Unfortunately, neither of these actually solves the original issue. A
    > hidden master doesn't do anything to stop external users, it is just
    > not advertised to the public.


    Oh the danger of kiddies scanning for recursive servers then making it
    their primary resolver.

    Amazing solution: restrict all access to it except for the parties you
    want to feed AXFRs. Any FW or even bind9's acls will do.


    > And although an external view can have a "recurse no" restriction,
    > BIND will still serve non-local requests from its cache.


    You're afraid to leak cached information to attackers? Why?


    > What I was really looking for is particularly the way to run a
    > nameserver in a way that external queries are answered only from the
    > local Master and Slave zone files, and no queries ever forwarded to
    > the root name servers or any other nameserver.


    If you don't trust bind's views, run another instance in another jail.
    Fixing up the details left as an excercise.


    > The only way I could think of to achieve this is to have completely
    > different BIND instances for external and internal queries, but I was
    > hoping someone here already implemeted something similar using a single
    > BIND instance.


    It's what views are for. I must admit not having checked whether serving
    cached information can be turned off, but after recursing is turned off
    for externals the only danger left, apart from exploitable bugs, is
    leaking what is and what is not in the cache.


    > I learnt that if today's inernet does not show how to do something,
    > there is a pretty good reason for that. Including -very often- that it
    > just cannot be done the way I want. Still, it never hurts to ask! :-)


    Except that you weren't really asking. You got several options and
    dismissed them all on grounds of your own convictions. Frankly, I'm
    sorry I ansered. So I'm leaving the rest as an excercise to you.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  7. Re: off-topic: BIND9 question

    jpd wrote:

    >> Unfortunately, neither of these actually solves the original issue. A
    >> hidden master doesn't do anything to stop external users, it is just
    >> not advertised to the public.

    >
    > Oh the danger of kiddies scanning for recursive servers then making it
    > their primary resolver.


    Not quite.
    What I am trying to avoid is some of our internal users configuring their
    computers at home to use this machine as their nameserver. They don't
    necessarily do this with any bad intention, they just simply learn these
    addresses by heart while using their internal computers. And once they go
    home or help a friend somewhere to set up the internet, they just tend to
    enter those well memorized numbers.

    >> And although an external view can have a "recurse no" restriction,
    >> BIND will still serve non-local requests from its cache.

    >
    > You're afraid to leak cached information to attackers? Why?


    As I said above, it is not a concern of leaking cached data to attackers. I
    am simply trying to make sure that setting this machine up as a
    general-purpose-internet-name-resolver will not work for anybody outside
    our LAN.

    > but after recursing is turned off
    > for externals the only danger left, apart from exploitable bugs, is
    > leaking what is and what is not in the cache.


    You have a point, and I agree with that. But also consider this for a
    minute: Assuming no recursion is allowed for external queries but answers
    from cache are returned. A large number of users, including researchers in
    labs and students in public access computer rooms generate a fairly good
    amount of cached data of recursive queries on the internal LAN. So if you
    set up an internet connection at home using this server as your DNS, you
    have a fairly good chance that your frequently visited URLs will be
    answered from the nameserver cache. Especially if you frequently visit the
    same URLs from our local LAN while your are here. Therefore, you may get a
    seemingly working internet setup at home, using our DNS server. But when
    you need lookup for rarely accessed URLs, resolution will fail. Ergo, some
    pages work, some are not. This is bad, but also very confusing, which is
    best to avoid by making sure that besides the authoritative zone data no
    other answers are provided to external queries.

    Regards,
    Keve

    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  8. Re: off-topic: BIND9 question

    On Tue, 11 Mar 2008 10:02:59 UTC, Keve Nagy
    wrote:

    > Unfortunately, neither of these actually solves the original issue. A hidden
    > master doesn't do anything to stop external users, it is just not
    > advertised to the public.


    Not if it's firewalled. Mine is, and the only access is from the
    secondaries. Easy peasy.

    --
    Bob Eager
    UNIX since v6..
    http://tinyurl.com/2xqr6h


  9. Re: off-topic: BIND9 question


    >> Unfortunately, neither of these actually solves the original issue. A
    >> hidden master doesn't do anything to stop external users, it is just not
    >> advertised to the public.

    >
    > Not if it's firewalled. Mine is, and the only access is from the
    > secondaries. Easy peasy.


    OK, I see your point now. There was a misunderstanding because I didn't
    explain myself properly enough. It cannot be a hidden master. It has to be
    a public master, and external queries must be allowed, but they should only
    get answers to mymasterdomain.tld requests and nothing else (not even
    cached answers for other requests).

    Fortunately I found that BIND 9.4 now can do this.

    Thanks, Bob!
    Best Regards,

    Keve
    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  10. Re: off-topic: BIND9 question

    In article <63t3l3F28tb79U1@mid.individual.net>,
    Keve Nagy wrote:
    >
    >>> Unfortunately, neither of these actually solves the original issue. A
    >>> hidden master doesn't do anything to stop external users, it is just not
    >>> advertised to the public.

    >>
    >> Not if it's firewalled. Mine is, and the only access is from the
    >> secondaries. Easy peasy.

    >
    >OK, I see your point now. There was a misunderstanding because I didn't
    >explain myself properly enough. It cannot be a hidden master. It has to be
    >a public master, and external queries must be allowed, but they should only
    >get answers to mymasterdomain.tld requests and nothing else (not even
    >cached answers for other requests).
    >
    >Fortunately I found that BIND 9.4 now can do this.


    And so can all other versions of BIND 9 with a little more
    configuration effort. The changes with BIND 9.4 just made it
    easier.

    Mark

    >Thanks, Bob!
    >Best Regards,
    >
    >Keve
    >--
    >if you need to reply directly:
    >keve(at)mail(dot)poliod(dot)hu




+ Reply to Thread