Problem with Views and restricting recursive queries --Help!

Chris Buxton cbuxton at menandmice.com
Fri Dec 7 23:17:26 UTC 2007 

> I'd hate to have to copy and paste all the
> INTERNET zones into the INTERNAL one, that would be nuts! :)

Ah, welcome to the joy of views. With views, each view is in essence a  
separate server, with its own list of zones and such. A query doesn't  
match more than one view - whichever view it matches first, is the one  
that gets it.

What you want to do is this:

- Divide users into public and private (views INTERNAL and INTERNET,  
in your config).
- Do *not* include the IPv4 loopback address in ACL_TRUSTED. (Or you  
could use the IPv6 loopback address for this special trick.)
- Have the INTERNAL view forward recursive queries to the INTERNET  
view via the loopback address, so that internal users can resolve  
public domains without you having to duplicate them all.

Note that if your internal "ourdomain" has the same name as any public  
(view INTERNET) domain, or is a parent of any public domain, internal  
users will not see any records from that public domain. (I use the  
word "domain" instead of "zone" quite deliberately here; they have  
different meanings.)

Also note that this will expose your cached data to the public. You  
can control this by either upgrading to BIND 9.4.x or by adding allow- 
query statements to both the INTERNET view and to all zones in it.  
(Another thing to note is that all cached data will wind up being  
cached twice, in each view. You may be able to control this by setting  
cache size parameters in the INTERNET view - I've never done that, so  
I can't say for sure.)

Here is an adjusted config based on what you posted, that will behave  
as I've described:
______________________________________________________________

acl ACL_TRUSTED {
	118.229.0.0/16; 198.213.0.0/16;    //etc.. Etc..
};

options {
	directory "/etc/named.zone";
	recursive-clients 2000;
	transfer-source 145.229.194.2;
	additional-from-cache no;
};

view "INTERNAL" IN {
	match-clients { ACL_TRUSTED; } ;

	//** if we are 'trusted' then give me recursion!
	allow-recursion { ACL_TRUSTED; };
	forwarders { 127.0.0.1; };

	zone "ourdomain" {
		type slave;
		file "slave/ourdomain.private";
		masters { 199.161.6.8; };
		allow-transfer { 199.161.6.8; };
	};
};

view "INTERNET" IN {
	match-clients { any; };
	allow-recursion { 127.0.0.1; };

	zone "0.0.127.in-addr.arpa" {
        	type master;
        	file "arpa.127.0.0";
	};

	zone "ourwebsite.com" {
		type slave;
        	file "slave/website.public";
        	masters { 199.161.6.8; };
        	allow-transfer { 199.161.6.8; };
	};


	//**LOTS of public zones here**
};
______________________________________________________________

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Dec 7, 2007, at 2:26 PM, Chris Dibble wrote:

> Hello, I had posted about a problem I was having with regards to
> restricting recursion to a certain view earlier, but I am no closer to
> finding out what is wrong.. Version: BIND 9.2.2.P1
> Below is basically a stripped down copy of our config for one of our
> secondary DNS server (the one I can mess with!). . . We are trying to
> implement two views, a public and a private one. It is prefered that
> people that fall into the public category do not have the ability to  
> see
> our private zones or perform recursive queries at all.
>
> Our intention is to restrict lookups for anyone not on our ACL_TRUSTED
> acl.. The two requirements are the following:
>
> -anyone defined in ACL_TRUSTED should have access to our INTERNAL  
> zones:
> 'ourdomain' and *also* all INTERNET zones as well. Also, must need  
> to be
> able to perform recursive queries (ie: google.com)
>
> -everyone else (non trusted) should only be able to see INTERNET  
> zones:
> 'ourwebsite', etc.. and no ability to recurse (Query refused) if its  
> not
> one of the INTERNET zones...
>
> I was hoping that in the below scenario, ACL_TRUSTED would match in  
> both
> INTERNAL and INTERNET views giving full access, and everyone else just
> INTERNET. I thought I would turn off recursion by default and then use
> the allow-recursion clause to override for ACL_trusted ip's but it  
> does
> not seem to work. My guess is when it 'hits' the INTERNET view, it  
> says
> recursion no. help!!
>
> So my question is if there is something I am doing wrong or if there  
> is
> a better way to do this. I'd hate to have to copy and paste all the
> INTERNET zones into the INTERNAL one, that would be nuts! :) Anyhelp
> would be a godsend!! Thanks in advance!
>
>
> Here is a smaple of our config:
>
> ------------------------------------------------------------------------
> ------------
>
>
> //define trusted IP's
>
> acl ACL_TRUSTED {
> 	118.229.0.0/16; 198.213.0.0/16;    //etc.. Etc..
> };
>
>
> options {
> 	directory "/etc/named.zone";
>
> 	recursive-clients 2000;
>
> 	transfer-source 145.229.194.2;
>
> 	additional-from-cache no;
>
> 	recursion no;				//turn off recursion by
> default
>
> 	allow-recursion { acl_trusted; };	//?? Override and let
> trusted recurse -- **doesn't work**
> };
>
>
> view "INTERNAL" IN {
> 	match-clients { ACL_TRUSTED; } ;
>
> 	//** if we are 'trusted' then give me recursion!
> 	recursion yes;				
>
> 	zone "ourdomain" {
> 		type slave;
> 		file "slave/ourdomain.private";
> 		masters { 199.161.6.8; };
> 		allow-transfer { 199.161.6.8; };
> 	};
> };
>
>
> view "INTERNET" IN {
> 	match-clients { any; };
> 	
> 	//**tried the two lines below just to test, but it did not work.
> 	//**the recursion no would turn it OFF for everyone, even
> trusted people.. why??!!
> 	
> 	recursion no;
> 	allow-recursion { ACL_TRUSTED; };
>
>
> 	zone "0.0.127.in-addr.arpa" {
>        	type master;
>        	file "arpa.127.0.0";
> 	};
>
> 	zone "ourwebsite.com" {
> 		type slave;
>        	file "slave/website.public";
>        	masters { 199.161.6.8; };
>        	allow-transfer { 199.161.6.8; };
> 	};
>
>
> 	//**LOTS of public zones here**
> };
>
> ------------------------------------------------------------------------
> --------
>
> This email and any files transmitted with it are confidential and  
> intended solely for the use of the individual or entity to whom they  
> are addressed. If you have received this email in error please  
> notify the system manager. This message contains confidential  
> information and is intended only for the individual named. If you  
> are not the named addressee you should not disseminate, distribute  
> or copy this e-mail.
>
>
>

More information about the bind-users mailing list