Blocking reverse lookup queries for private ips

Mark Andrews marka at isc.org
Thu Nov 24 05:24:46 UTC 2016


Automatic empty zones are not created when there is a forward only
entry covering the zone name.  Almost all the time it is someone
trying to make internal reverse zones work and if the upstream
server is correctly configured it will prevent the queries leaking
to the Internet as a whole.

You are forwarding all you lookups to Google recursive servers in
forward only mode so empty zones won't be created.

If you don't want the queries to be sent to Google create your own
empty zones or disable forwardig for these namespaces.

Mark

In message <CADu4ah4OqZeTda2PANwVuSV9OAJCaapHZpxaAz7ApdU3DTSz-Q at mail.gmail.com>
, Sachin Patil writes:
> --===============4737655251929363984==
> Content-Type: multipart/alternative; boundary=94eb2c07e998dce6290541f2192e
> 
> --94eb2c07e998dce6290541f2192e
> Content-Type: text/plain; charset=UTF-8
> 
> Sending this to bind list ... had only sent to Tony by mistake.. !!
> 
> On Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <04sachin at gmail.com> wrote:
> 
> > Hello Tony,
> > Thank you very much for the reply.
> >
> > I have configured bind in forward mode.
> > My conf file looks like -
> >
> > options {
> >
> > directory "/var/cache/named";
> >
> > pid-file "/var/run/named/named.pid";
> >
> > recursion yes;
> >
> > allow-recursion { any; };
> >
> >
> > forwarders {
> >
> > 8.8.8.8;
> >
> > 8.8.4.4;
> >
> > };
> >
> > forward only;
> >
> > empty-zones-enable yes;
> >
> > dnssec-enable yes;
> >
> > dnssec-validation yes;
> >
> >
> > auth-nxdomain no;    # conform to RFC1035
> >
> > listen-on-v6 { any; };
> >
> > server-id none;
> >
> > };
> >
> >
> > Still lookup requests  like - nslookup 10.10.2.20 127.0.0.1 are sent to
> > 8.8.4.4.
> >
> >
> >
> > On Tue, Nov 22, 2016 at 4:27 PM, Tony Finch <dot at dotat.at> wrote:
> >
> >> Sachin Patil <04sachin at gmail.com> wrote:
> >>
> >> > I want to return nxdomain for any private ip reverse lookup.
> >>
> >> BIND does this by default. Look for "built-in empty zones" in
> >> https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html
> >>
> >> Tony.
> >> --
> >> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h
> >> punycode
> >> Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough
> >> becoming
> >> moderate. Wintry showers. Good, occasionally moderate.
> >>
> >
> >
> 
> --94eb2c07e998dce6290541f2192e
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">Sending this to bind list ... had only sent to Tony by mis=
> take.. !!</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On=
>  Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <span dir=3D"ltr"><<a href=
> =3D"mailto:04sachin at gmail.com" target=3D"_blank">04sachin at gmail.com</a>>=
> </span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
> 8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">Hello Ton=
> y,<div>Thank you very much for the reply.</div><div><br></div><div>I have c=
> onfigured bind in forward mode.</div><div>My conf file looks like -=C2=A0</=
> div><div><br></div><div>
> 
> 
> 
> 
> 
> 
> 
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1">options {</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>directory "/var/cache/named";</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>pid-file "/var/run/named/named.pid";</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>recursion yes;</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>allow-recursion { any; };</span></p>
> <p class=3D"m_-6098983245031569182gmail-p2"><span class=3D"m_-6098983245031=
> 569182gmail-s1"></span><br></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>forwarders {</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
> 	</span>=
> <span class=3D"m_-6098983245031569182gmail-Apple-tab-span">	</span>8.8.8.8;
> =
> </span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
> 	</span>=
> <span class=3D"m_-6098983245031569182gmail-Apple-tab-span">	</span>8.8.4.4;
> =
> </span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>};</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>forward only;</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>empty-zones-enable yes;</span></p>
> <p class=3D"m_-6098983245031569182gmail-p2">dnssec-enable yes;</p><p class=
> =3D"m_-6098983245031569182gmail-p2">dnssec-validation yes;</p>
> <p class=3D"m_-6098983245031569182gmail-p2"><span class=3D"m_-6098983245031=
> 569182gmail-s1"></span><br></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>auth-nxdomain no;=C2=A0 =C2=A0 # conform to RFC1035</span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">=
> 	</span>listen-on-v6 { any; };</span></p>
> <p class=3D"m_-6098983245031569182gmail-p2">server-id none;<br><span class=
> =3D"m_-6098983245031569182gmail-s1"></span></p>
> <p class=3D"m_-6098983245031569182gmail-p1"><span class=3D"m_-6098983245031=
> 569182gmail-s1">};</span></p><p class=3D"m_-6098983245031569182gmail-p1"><s=
> pan class=3D"m_-6098983245031569182gmail-s1"><br></span></p><p class=3D"m_-=
> 6098983245031569182gmail-p1"><span class=3D"m_-6098983245031569182gmail-s1"=
> >Still lookup requests =C2=A0like -=C2=A0</span><span style=3D"font-variant=
> -ligatures:no-common-ligatures;font-family:menlo;font-size:14px">nslookup 1=
> 0.10.2.20 127.0.0.1 are sent to 8.8.4.4.</span></p><p class=3D"m_-609898324=
> 5031569182gmail-p1"><span style=3D"font-variant-ligatures:no-common-ligatur=
> es;font-family:menlo;font-size:14px">=C2=A0</span></p>
> 
> 
> 
> 
> 
> 
> 
> </div></div><div class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_ext=
> ra"><br><div class=3D"gmail_quote">On Tue, Nov 22, 2016 at 4:27 PM, Tony Fi=
> nch <span dir=3D"ltr"><<a href=3D"mailto:dot at dotat.at" target=3D"_blank"=
> >dot at dotat.at</a>></span> wrote:<br><blockquote class=3D"gmail_quote" st=
> yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span=
> >Sachin Patil <<a href=3D"mailto:04sachin at gmail.com" target=3D"_blank">0=
> 4sachin at gmail.com</a>> wrote:<br>
> <br>
> > I want to return nxdomain for any private ip reverse lookup.<br>
> <br>
> </span>BIND does this by default. Look for "built-in empty zones"=
>  in<br>
> <a href=3D"https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html"=
>  rel=3D"noreferrer" target=3D"_blank">https://ftp.isc.org/isc/bind9/<wbr>cu=
> r/9.11/doc/arm/Bv9ARM.ch06.h<wbr>tml</a><br>
> <span class=3D"m_-6098983245031569182HOEnZb"><font color=3D"#888888"><br>
> Tony.<br>
> --<br>
> f.anthony.n.finch=C2=A0 <<a href=3D"mailto:dot at dotat.at" target=3D"_blan=
> k">dot at dotat.at</a>>=C2=A0 <a href=3D"http://dotat.at/" rel=3D"noreferre=
> r" target=3D"_blank">http://dotat.at/</a>=C2=A0 -=C2=A0 I xn--zr8h punycode=
> <br>
> Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough becomi=
> ng<br>
> moderate. Wintry showers. Good, occasionally moderate.<br>
> </font></span></blockquote></div><br></div>
> </div></div></blockquote></div><br></div>
> 
> --94eb2c07e998dce6290541f2192e--
> 
> --===============4737655251929363984==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============4737655251929363984==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list