DNS Recursion
Benjamin Scott
dragonhawk at iname.com
Wed Sep 14 21:23:01 EDT 2005
On Sep 14 at 11:34am, Kenneth E. Lussier wrote:
> I'm using BIND8 (8.4.6) as an external name server. I want to also use it
> as the name server for my external boxes. However, I can't seem to get
> recursion to work correctly.
If I understand you correctly:
You have a nameserver which is authorative for one or more zones. You want
the nameserver to answer queries about those zones, regardless of where the
query came from. You also want the nameserver to attempt to answer queries in
general, but only when the queries come from specific network(s).
Note that recusion doesn't enter into the above problem statement; that'll
become important in a second. :)
For the sake of discussion, let's say 192.0.2.0/24 is the network you want
to provide full service for. We will call this your "trusted network".
Let's also say the zone you are claiming authority for is <example.com>.
> I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP
> address), but the query was denied with:
> named[2692]: denied recursion for query from [x.x.x.x].24684 for
> www.google.com IN
"allow-recursion" is not the best choice for this. In the above, BIND will
still attempt to answer queries, it just won't perform recursion to do so.
In particular, the cache is still available. See problem statement, above.
So, the better choice is "allow-query". First, define an ACL, like you
mentioned:
acl "trusted" {
192.0.2.0/24;
127.0.0.1;
};
Next, in the global scope, allow queries from your trusted network. This
will implictly block queries not from your trusted network:
options {
// ...
allow-query {
trusted;
};
};
Finally, in the zones you are claiming authority for, make an exception to
that global "deny untrusted" policy:
zone "example.com" {
// ...
allow-query {
any;
};
};
That should do it, I believe.
References:
Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html
BIND Administrator Reference Manual
(included in BIND distribution)
--
Ben <dragonhawk at iname.com>
More information about the gnhlug-discuss
mailing list