Resolving locally hosted zones to trusted clients

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 28 22:42:33 UTC 2004


You need to slave or stub the relevant zone(s) in the internal view. If 
you decide to slave them, don't forget the also-notify's on the master 
to speed up change propagation!

- Kevin

Matt Goli wrote:

>Greetings all:
>
>I've setup a public BIND 9.2.2 server to host a number of zones for our 
>companies domains based on Rob Thomas's "Secure BIND Template" 
>http://www.cymru.com/Documents/secure-bind-template.html.
>
>I have one view (external-in) setup to allow any device to query the 
>public domains from this BIND server and am not allowing recursive 
>lookups from public IPs.  I have a second view (internal-in) setup that 
>performs recursive lookups for a ACL of "trusted" IP addresses, and 
>that is working as expected.  My problem comes in when trusted IP 
>addresses attempt to query a zone out of my "external-in" view.  I 
>simply get a "connection timed out; no servers could be reached" when I 
>dig from the trusted IP addresses.
>
>So in summery, I can do the following from trusted ip address 
>216.111.14.242:
>	dig @63.238.248.3 www.google.com
>
>But cannot do:
>	dig @63.238.248.3 www.krause.com
>
>But from an untrusted IP I can do:
>	dig @63.238.248.3 www.krause.com
>
>Below is my named.conf file for reference.  Any feedback is greatly 
>appreciated.
>
>Thank you,
>
>---
>Matt Goli, MCP
>Systems Support Group
>
>F+W Publications, Inc.
>- www.fwpublications.com
>Krause Publications, a division of F+W Publications, Inc.
>- www.krause.com
>
>// Declares control channels to be used by the rndc utility.
>// It is recommended that 127.0.0.1 be the only address used.
>// This also allows non-privileged users on the local host to manage
>// your name server.
>//
>acl "xfer" {
>         // ALlow no transfers.  If we have other name servers, please 
>them here.
>         none;
>};
>acl "trusted" {
>         // Please our internal and DMZ subnets in here so that intranet 
>and DMZ
>         // clients may send DNS queries.  This also prevents outside 
>hosts from using
>         // our name server as a resolver for other domains.
>         63.238.248.0/24;
>         69.28.6.0/24;
>         216.111.14.240/29;
>         63.151.151.120/29;
>         207.136.180.0/29;
>         67.129.227.184/29;
>         208.46.1.120/29;
>         65.114.186.64/28;
>         172.29.0.0/16;
>         192.168.251.0/24;
>         localhost; // Self Explanatory
>};
>acl "bogon" {
>         // Filter out the bogon networks.  These are networks listed by 
>IANA as test
>         // RFC 1918, Multicast, experimental, etc.  If you see DNS 
>queries or updates
>         // with a source address within these networks, this is likely 
>of malicious
>         // origin.  CAUTION:  If you are using RFC1918 netblocks on 
>your network, remove
>         // those netblocks from this list of blackhole ACLs!
>		
>		// ACL removed for this e-mailing.
>};
>
>key "rndc-key" {
>         algorithm hmac-md5;
>         secret <removed>
>};
>
>controls {
>         inet 127.0.0.1 port 54 allow {any; };
>         inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; 
>};
>};
>
>options {
>         directory "/var/named";
>         pid-file "/var/named/named.pid";
>         statistics-file "/var/named/named.stats";
>         dump-file "/var/named/named.dump";
>         zone-statistics yes;
>         notify no;
>         transfer-format many-answers;
>         max-transfer-time-in 60;
>         interface-interval 0;
>         recursion false;
>         version "Unknown";
>         allow-transfer {
>                 // Zone transfers limited to members of "xfer" ACL.
>                 xfer;
>         };
>
>         allow-query {
>                 // Accept queries from our "trusted" ACL."  We will 
>allow anyone to query
>                 // our master zones below. This prevents us from 
>becoming a free DNS server
>                 // to the masses.
>                 trusted;
>         };
>
>         blackhole {
>                 // Deny anything from the bogon networks as details in 
>the "bogon" ACL.
>                 bogon;
>         };
>
>         /*
>          * If there is a firewall between you and nameservers you want
>          * to talk to, you might need to uncomment the query-source
>          * directive below.  Previous versions of BIND always asked
>          * questions using port 53, but BIND 8.1 uses an unprivileged
>          * port by default.
>          */
>         // query-source address * port 53;
>};
>
>logging {
>         channel _default_log  {
>                 file "/Library/Logs/named.log";
>                 severity debug;
>                 print-time yes;
>         };
>
>         channel audit_log {
>                 // Send the security related messages to a seperate 
>file.
>                 file "/Library/Logs/named_audit.log";
>                 severity debug;
>                 print-time yes;
>         };
>
>         category default { _default_log; };
>         category general { _default_log; };
>         category security { _default_log; audit_log; };
>         category config { _default_log; };
>         category resolver { audit_log; };
>         category xfer-in { audit_log; };
>         category xfer-out { audit_log; };
>         category notify { audit_log; };
>         category client { audit_log; };
>         category network { audit_log; };
>         category update { audit_log; };
>         category queries { audit_log; };
>         category lame-servers { audit_log; };
>};
>
>view "internal-in" in {
>         // Our internal (trusted) view.  We permit the internal networks
>         // to freely access this view.  We perform recursion for our
>         // internal hosts, and retrieve data from the cache for them.
>
>         match-clients { trusted; };
>         recursion yes;
>         additional-from-auth yes;
>         additional-from-cache yes;
>
>         zone "." in {
>                 // Link in the root server hint file.
>                 type hint;
>                 file "named.ca";
>         };
>
>         zone "localhost" IN {
>                 type master;
>                 file "localhost.zone";
>                 allow-update { none; };
>         };
>
>         zone "0.0.127.in-addr.arpa" IN {
>                 type master;
>                 file "named.local";
>                 allow-update { none; };
>         };
>         zone "251.168.192.in-addr.arpa" IN {
>                 type slave;
>                 file "251.168.192.in-addr.arpa.bak";
>                 masters { 172.29.10.21; };
>         };
>};
>
>// Create a view for external DNS clients.
>view "external-in" in {
>         // Our external (untrustet) view.  We permit any client oto 
>access
>         // portions of this view.  We do not perform recursion or cache
>         // access for hosts using this view.
>
>         match-clients { any; };
>         recursion no;
>         additional-from-auth no;
>         additional-from-cache no;
>
>         zone "." in {
>                 // Link in the root server hint file.
>                 type hint;
>                 file "named.ca";
>         };
>         zone "fwpubs.com" IN {
>                 type slave;
>                 file "fwpubs.com.bak";
>                 masters { 172.29.10.21; };
>                 allow-query { any; };
>         };
>         zone "krause.com" IN {
>                 type slave;
>                 file "krause.com.bak";
>                 masters { 172.29.10.21; };
>                 allow-query { any; };
>         };
>};
>
>
>
>
>
>  
>




More information about the bind-users mailing list