bind request configuration

Jeff Lightner jlightner at water.com
Thu Aug 28 17:53:58 UTC 2008 

I think the OP was asking how to restrict queries so that they are
honored only by specific DNS servers.  That can certainly be done as
we're doing it here.

The reason for doing this might be that there are "internal" DNS servers
(e.g. Windows DNS) that all the client workstations are supposed to use
for name resolution of internal servers.   There would be separate
"external" DNS servers (e.g. BIND on Linux) that are used as
authoritative servers for domains you want external people to see AND
are the ones that do the recursive lookups for zones you're not
authoritative for (e.g. google.com, yahoo.com).   The "internal" DNS
servers would be configured to do lookups for everything they're not
authoritative for to the "external" servers.

We do exactly that here.

What we did (this is 9.3.4-P1 backported for the Kaminsky attack) in
named.conf:

1) Create an ACL:
acl "internaldns" {
        10.0.x.x; 10.0.x.x;
};

In above the 10.0.x.x. addresses would be the IPs of the "internal" DNS
servers.

2) In "options" section restricted allow-query and allow-recursion to
internaldns ACL:
allow-query { internaldns; };
allow-recursion { internaldns; };

The allow query was to allow it to read cache.  In later versions you
don't require both statements I think.

3) For each zone we were authoritative for and defined in named.conf we
added:
allow-query { any; };

That allows anyone internal or external to query the zones.  If you
wanted to actually restrict even such authoritative zones you'd just
leave out this step and the global options would restrict them.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Matthew Pounsett
Sent: Thursday, August 28, 2008 1:24 PM
To: Sener ATAS
Cc: bind-users at isc.org
Subject: Re: bind request configuration

On 28-Aug-2008, at 13:16 , Sener ATAS wrote:

> Hi all,
>
> I use bind-9.5.0-P1 version on FreeBSD.
>
> This server is open to my networks outside. But I want to give
> permission only dns servers request. I don't want'to reply basic  
> client
> request. Are there a configuration method for this.

stub resolvers and servers use the same protocol.  There's no way I  
know of to differentiate between the two.  If you have a known set of  
servers you want to allow, you can either use ACLs to limit access by  
IP address, or TSIG to authenticate clients.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list