DNS Recursion

Benjamin Scott dragonhawk at iname.com
Wed Sep 14 21:23:01 EDT 2005 

On Sep 14 at 11:34am, Kenneth E. Lussier wrote:
> I'm using BIND8 (8.4.6) as an external name server.  I want to also use it 
> as the name server for my external boxes.  However, I can't seem to get 
> recursion to work correctly.

   If I understand you correctly:

   You have a nameserver which is authorative for one or more zones.  You want 
the nameserver to answer queries about those zones, regardless of where the 
query came from.  You also want the nameserver to attempt to answer queries in 
general, but only when the queries come from specific network(s).

   Note that recusion doesn't enter into the above problem statement; that'll 
become important in a second.  :)

   For the sake of discussion, let's say 192.0.2.0/24 is the network you want 
to provide full service for.  We will call this your "trusted network". 
Let's also say the zone you are claiming authority for is <example.com>.

> I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP
> address), but the query was denied with:
> named[2692]: denied recursion for query from [x.x.x.x].24684 for
> www.google.com IN

   "allow-recursion" is not the best choice for this.  In the above, BIND will 
still attempt to answer queries, it just won't perform recursion to do so. 
In particular, the cache is still available.  See problem statement, above.

   So, the better choice is "allow-query".  First, define an ACL, like you 
mentioned:

 	acl "trusted" {
 		192.0.2.0/24;
 		127.0.0.1;
 	};

   Next, in the global scope, allow queries from your trusted network.  This 
will implictly block queries not from your trusted network:

 	options {
 		// ...
 		allow-query {
 			trusted;
 		};
 	};

   Finally, in the zones you are claiming authority for, make an exception to 
that global "deny untrusted" policy:

 	zone "example.com" {
 		// ...
 		allow-query {
 			any;
 		};
 	};

   That should do it, I believe.


   References:

Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html

BIND Administrator Reference Manual
(included in BIND distribution)

-- 
Ben <dragonhawk at iname.com>

More information about the gnhlug-discuss mailing list