RE: Preventing recursion ... (preventing confusion?) - DNS

This is a discussion on RE: Preventing recursion ... (preventing confusion?) - DNS ; On my RHEL5 box the way I insured neither cache lookups nor recursive lookups would work for outsiders was modify named conf to have: 1) options section: allow-query { internaldns; externaldns; }; allow-recursion { internaldns; externaldns; }; 2) Create ACLs ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: RE: Preventing recursion ... (preventing confusion?)

  1. RE: Preventing recursion ... (preventing confusion?)

    On my RHEL5 box the way I insured neither cache lookups nor recursive
    lookups would work for outsiders was modify named conf to have:

    1) options section:
    allow-query { internaldns; externaldns; };
    allow-recursion { internaldns; externaldns; };

    2) Create ACLs named internaldns and externaldns which specified IPs or
    ranges of IPs that I wanted to allow to do recursive and cache lookups.

    3) Modify each zone section to include:
    allow-query { any; };

    The options section is global so restricts queries (including cache) and
    recursion to only the IPs defined in the ACLs. The modification of the
    zone sections allows anyone (whether there in the ACLs or not) to do
    queries of the zones for which we're authoritative.

    Note this was on the RHEL5 patched version of 9.3.4-P1 which has also
    been back ported to have the new exploit port randomization fix. I
    believe it would work for the version you noted as well.

    -----Original Message-----
    From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    Behalf Of Peter Laws
    Sent: Wednesday, July 30, 2008 12:44 PM
    To: Jeremy C. Reed
    Cc: bind-users@isc.org
    Subject: Re: Preventing recursion ... (preventing confusion?)

    Jeremy C. Reed wrote:
    > With older versions, a workaround is to have a default allow-query for
    > just your local networks (like your allow-recursion) in the options

    and
    > then open up allow-query { any; }; just within your specific zone
    > statements.


    Clearly, RH hasn't back-ported that feature.

    The work-around gives the desired e-finger.

    Many thanks!

    --
    Peter Laws / N5UWY
    National Weather Center / Network Operations Center
    University of Oklahoma Information Technology
    plaws@ou.edu
    -----------------------------------------------------------------------
    Feedback? Contact my director, Craig Cochell, craigc@ou.edu. Thank you!
    ----------------------------------
    CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
    ----------------------------------


  2. Re: Preventing recursion ... (preventing confusion?)

    In article ,
    "Jeff Lightner" wrote:

    > On my RHEL5 box the way I insured neither cache lookups nor recursive
    > lookups would work for outsiders was modify named conf to have:
    >
    > 1) options section:
    > allow-query { internaldns; externaldns; };
    > allow-recursion { internaldns; externaldns; };


    Of course, if you're restricting allow-query, you don't need to specify
    allow-recursion. Allow-recursion is only needed when it's more
    restrictive than allow-query.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


  3. RE: Preventing recursion ... (preventing confusion?)

    I'm using 9.3.4-P1 (backported for the exploit) on RHEL5 so had to do it
    this way. For later BIND versions you're correct based on the reading
    I did at the time.

    -----Original Message-----
    From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    Behalf Of Barry Margolin
    Sent: Wednesday, July 30, 2008 10:55 PM
    To: comp-protocols-dns-bind@isc.org
    Subject: Re: Preventing recursion ... (preventing confusion?)

    In article ,
    "Jeff Lightner" wrote:

    > On my RHEL5 box the way I insured neither cache lookups nor recursive
    > lookups would work for outsiders was modify named conf to have:
    >
    > 1) options section:
    > allow-query { internaldns; externaldns; };
    > allow-recursion { internaldns; externaldns; };


    Of course, if you're restricting allow-query, you don't need to specify
    allow-recursion. Allow-recursion is only needed when it's more
    restrictive than allow-query.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    ----------------------------------
    CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
    ----------------------------------


  4. Re: Preventing recursion ... (preventing confusion?)

    In article ,
    "Jeff Lightner" wrote:

    > I'm using 9.3.4-P1 (backported for the exploit) on RHEL5 so had to do it
    > this way. For later BIND versions you're correct based on the reading
    > I did at the time.


    I'm pretty sure allow-query has always worked the way I describe. If
    you're not allowed to query at all, it doesn't matter whether you're
    allowed to recurse. The query is rejected before it ever checks whether
    the client is in the recursion ACL.

    >
    > -----Original Message-----
    > From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    > Behalf Of Barry Margolin
    > Sent: Wednesday, July 30, 2008 10:55 PM
    > To: comp-protocols-dns-bind@isc.org
    > Subject: Re: Preventing recursion ... (preventing confusion?)
    >
    > In article ,
    > "Jeff Lightner" wrote:
    >
    > > On my RHEL5 box the way I insured neither cache lookups nor recursive
    > > lookups would work for outsiders was modify named conf to have:
    > >
    > > 1) options section:
    > > allow-query { internaldns; externaldns; };
    > > allow-recursion { internaldns; externaldns; };

    >
    > Of course, if you're restricting allow-query, you don't need to specify
    > allow-recursion. Allow-recursion is only needed when it's more
    > restrictive than allow-query.


    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***


+ Reply to Thread