Re: Bind 9 allow-recursion limited to localhost - DNS

Answering from cache doesn't require recursion, so allow-recursion has
no effect on it.

Solutions:
1) Use separate views for inside versus outside, with recursion turned
off for the "outside" view (this will result in a "root referral" being
returned if something outside of your hosted zones is queried),
2) Only allow queries from your internal clients by default, and then
override that default with an "allow-query { any; };" on each and every
zone you host to the Internet (this will result in a REFUSED response
being returned for queries outside of your hosted zones), or
3) Wait until BIND 9.4.0 comes out, since it addresses this need with
"allow-query-cache", see http://www.isc.org/sw/bind/bind9.4-beta.php
(REFUSED also).


- Kevin


dan_delspam@edenpics.com wrote:
> Hello.
>
> I am trying to setup a DNS that is a master for the world and a caching
> name server for the localhost only.
> I have been able to setup something quite near of this, but here is my
> problem:
>
> When I do a query of an external domain name from the outside, the
> query is properly blocked. However, if I do query the server from my
> server (localhost) for the same domain name, and then try the first
> operation of querying the server from the outside, then the query is
> successful that time.
>
> To be clearer:
>
> 1. external query blocks ok:
> from ip 192.168.0.100: nslookup google.com 192.168.0.1
> *** Can't find google.com: No answer
>
> 2. internal query works fine as wanted:
> from ip 192.168.0.1: nslookup google.com 192.168.0.1
> Name: google.com
> Address: 64.233.167.99
>
> 3. external query like point 1 again is accepted this time:
> from ip 192.168.0.100: nslookup google.com 192.168.0.1
> Name: google.com
> Address: 64.233.167.99
>
> It's like if the 'allow-recursion' directive would not allow to make a
> recursion (relaying the request to the source DNS server), but would
> still allow external requests to access the internal cache of the DNS.
> I don't know if this is the normal behaviour, bu my question is to know
> if there is a way to block all requests of domain which are not my
> master domain names for the outside.
> I thought that this directive would take care of it, but it doesn't
> seem so.
> Can someone also try that and tell me if this is happening elsewhere or
> if this is a misconfiguration of my DNS ?
>
> I am using Bind 9.2.4-2 on a CentOS 4.3 server.
>
> Here is my configuration file (top only, the rest are only zones):
>
> options {
> directory "/var/named";
> recursion yes; // prevent caching for all by default,
> overridden below.
> allow-recursion {127.0.0.1;};
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> query-source port 53; // because firewall allows port 53 only
> allow-transfer {"none"; }; // transfer will be allowed per
> zone below.
> };
>
> controls {
> inet 127.0.0.1 allow { "none"; };
> };
>
> Thanks for any help.
> Daniel
>
>
>
>
>
>

Hello, Kevin.

Thanks so much for your quick and useful answer.
I have tried your solution number 2 (disallow queries to all but
localhost, and then allow queries to all for each zones), and this
works great now! No more possible to access my DNS cache for the
others.
So it is fine even with version 9.2.4-2 of Bind.
I'm glad that a new directive is introduced in version 9.4, which seems
such important to me.

So this is what my /etc/named.conf configuration file looks like now:

options {
directory "/var/named";
recursion yes; // Allow caching, but limited below to everyone
outside localhost.
allow-recursion {local_hosts;};
allow-query { local_hosts;}; // this must be limited to
everyone, else they will have access to your cache !
query-source port 53; // because firewall allows port 53 only
allow-transfer {"none"; }; // transfer will be allowed per
zone below.
};

zone "my_domain.com" {
type master;
file "masters/sec.zone";
// IP addresses of slave servers allowed to transfer
example.com
allow-transfer {secondaries;};
allow-query {any;}; // this is needed to override the default
setting above.
};


With kind regards, and thanks again.
Daniel