Resolving locally hosted zones to trusted clients
Matt Goli
mattgoli at mac.com
Thu Oct 28 19:53:35 UTC 2004
Greetings all:
I've setup a public BIND 9.2.2 server to host a number of zones for our
companies domains based on Rob Thomas's "Secure BIND Template"
http://www.cymru.com/Documents/secure-bind-template.html.
I have one view (external-in) setup to allow any device to query the
public domains from this BIND server and am not allowing recursive
lookups from public IPs. I have a second view (internal-in) setup that
performs recursive lookups for a ACL of "trusted" IP addresses, and
that is working as expected. My problem comes in when trusted IP
addresses attempt to query a zone out of my "external-in" view. I
simply get a "connection timed out; no servers could be reached" when I
dig from the trusted IP addresses.
So in summery, I can do the following from trusted ip address
216.111.14.242:
dig @63.238.248.3 www.google.com
But cannot do:
dig @63.238.248.3 www.krause.com
But from an untrusted IP I can do:
dig @63.238.248.3 www.krause.com
Below is my named.conf file for reference. Any feedback is greatly
appreciated.
Thank you,
---
Matt Goli, MCP
Systems Support Group
F+W Publications, Inc.
- www.fwpublications.com
Krause Publications, a division of F+W Publications, Inc.
- www.krause.com
// Declares control channels to be used by the rndc utility.
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
acl "xfer" {
// ALlow no transfers. If we have other name servers, please
them here.
none;
};
acl "trusted" {
// Please our internal and DMZ subnets in here so that intranet
and DMZ
// clients may send DNS queries. This also prevents outside
hosts from using
// our name server as a resolver for other domains.
63.238.248.0/24;
69.28.6.0/24;
216.111.14.240/29;
63.151.151.120/29;
207.136.180.0/29;
67.129.227.184/29;
208.46.1.120/29;
65.114.186.64/28;
172.29.0.0/16;
192.168.251.0/24;
localhost; // Self Explanatory
};
acl "bogon" {
// Filter out the bogon networks. These are networks listed by
IANA as test
// RFC 1918, Multicast, experimental, etc. If you see DNS
queries or updates
// with a source address within these networks, this is likely
of malicious
// origin. CAUTION: If you are using RFC1918 netblocks on
your network, remove
// those netblocks from this list of blackhole ACLs!
// ACL removed for this e-mailing.
};
key "rndc-key" {
algorithm hmac-md5;
secret <removed>
};
controls {
inet 127.0.0.1 port 54 allow {any; };
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key";
};
};
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
dump-file "/var/named/named.dump";
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
recursion false;
version "Unknown";
allow-transfer {
// Zone transfers limited to members of "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL." We will
allow anyone to query
// our master zones below. This prevents us from
becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as details in
the "bogon" ACL.
bogon;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
logging {
channel _default_log {
file "/Library/Logs/named.log";
severity debug;
print-time yes;
};
channel audit_log {
// Send the security related messages to a seperate
file.
file "/Library/Logs/named_audit.log";
severity debug;
print-time yes;
};
category default { _default_log; };
category general { _default_log; };
category security { _default_log; audit_log; };
category config { _default_log; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
// Link in the root server hint file.
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "251.168.192.in-addr.arpa" IN {
type slave;
file "251.168.192.in-addr.arpa.bak";
masters { 172.29.10.21; };
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrustet) view. We permit any client oto
access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
// Link in the root server hint file.
type hint;
file "named.ca";
};
zone "fwpubs.com" IN {
type slave;
file "fwpubs.com.bak";
masters { 172.29.10.21; };
allow-query { any; };
};
zone "krause.com" IN {
type slave;
file "krause.com.bak";
masters { 172.29.10.21; };
allow-query { any; };
};
};
More information about the bind-users
mailing list