Blocking reverse lookup queries for private ips

Sachin Patil 04sachin at gmail.com
Thu Nov 24 08:27:21 UTC 2016


Hello Mark,

Thank you very much for the reply.

I have changed option - "forward only;" to "forward first;" and it has
enabled empty zones.
I can see request for private ips not going over internet using tcpdump.

This configurations works, but is this good configuration for forward only
dns server or will there be any problems related caching etc with this conf.

Regards,
Sachin


On Thu, Nov 24, 2016 at 10:54 AM, Mark Andrews <marka at isc.org> wrote:

>
> Automatic empty zones are not created when there is a forward only
> entry covering the zone name.  Almost all the time it is someone
> trying to make internal reverse zones work and if the upstream
> server is correctly configured it will prevent the queries leaking
> to the Internet as a whole.
>
> You are forwarding all you lookups to Google recursive servers in
> forward only mode so empty zones won't be created.
>
> If you don't want the queries to be sent to Google create your own
> empty zones or disable forwardig for these namespaces.
>
> Mark
>
> In message <CADu4ah4OqZeTda2PANwVuSV9OAJCaapHZpxaAz7ApdU3DTSz-Q at mail.
> gmail.com>
> , Sachin Patil writes:
> > --===============4737655251929363984==
> > Content-Type: multipart/alternative; boundary=
> 94eb2c07e998dce6290541f2192e
> >
> > --94eb2c07e998dce6290541f2192e
> > Content-Type: text/plain; charset=UTF-8
> >
> > Sending this to bind list ... had only sent to Tony by mistake.. !!
> >
> > On Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <04sachin at gmail.com>
> wrote:
> >
> > > Hello Tony,
> > > Thank you very much for the reply.
> > >
> > > I have configured bind in forward mode.
> > > My conf file looks like -
> > >
> > > options {
> > >
> > > directory "/var/cache/named";
> > >
> > > pid-file "/var/run/named/named.pid";
> > >
> > > recursion yes;
> > >
> > > allow-recursion { any; };
> > >
> > >
> > > forwarders {
> > >
> > > 8.8.8.8;
> > >
> > > 8.8.4.4;
> > >
> > > };
> > >
> > > forward only;
> > >
> > > empty-zones-enable yes;
> > >
> > > dnssec-enable yes;
> > >
> > > dnssec-validation yes;
> > >
> > >
> > > auth-nxdomain no;    # conform to RFC1035
> > >
> > > listen-on-v6 { any; };
> > >
> > > server-id none;
> > >
> > > };
> > >
> > >
> > > Still lookup requests  like - nslookup 10.10.2.20 127.0.0.1 are sent to
> > > 8.8.4.4.
> > >
> > >
> > >
> > > On Tue, Nov 22, 2016 at 4:27 PM, Tony Finch <dot at dotat.at> wrote:
> > >
> > >> Sachin Patil <04sachin at gmail.com> wrote:
> > >>
> > >> > I want to return nxdomain for any private ip reverse lookup.
> > >>
> > >> BIND does this by default. Look for "built-in empty zones" in
> > >> https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html
> > >>
> > >> Tony.
> > >> --
> > >> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h
> > >> punycode
> > >> Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough
> > >> becoming
> > >> moderate. Wintry showers. Good, occasionally moderate.
> > >>
> > >
> > >
> >
> > --94eb2c07e998dce6290541f2192e
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div dir=3D"ltr">Sending this to bind list ... had only sent to Tony by
> mis=
> > take.. !!</div><div class=3D"gmail_extra"><br><div
> class=3D"gmail_quote">On=
> >  Tue, Nov 22, 2016 at 5:45 PM, Sachin Patil <span dir=3D"ltr"><<a
> href=
> > =3D"mailto:04sachin at gmail.com" target=3D"_blank">04sachin at gmail.com
> </a>>=
> > </span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0
> 0 .=
> > 8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">Hello
> Ton=
> > y,<div>Thank you very much for the reply.</div><div><br></div><div>I
> have c=
> > onfigured bind in forward mode.</div><div>My conf file looks like
> -=C2=A0</=
> > div><div><br></div><div>
> >
> >
> >
> >
> >
> >
> >
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1">options {</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>directory "/var/cache/named";</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>pid-file "/var/run/named/named.pid";</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>recursion yes;</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>allow-recursion { any; };</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p2"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"></span><br></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>forwarders {</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
> >       </span>=
> > <span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
>  </span>8.8.8.8;
> > =
> > </span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span><span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
> >       </span>=
> > <span class=3D"m_-6098983245031569182gmail-Apple-tab-span">
>  </span>8.8.4.4;
> > =
> > </span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>};</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>forward only;</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>empty-zones-enable yes;</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p2">dnssec-enable yes;</p><p
> class=
> > =3D"m_-6098983245031569182gmail-p2">dnssec-validation yes;</p>
> > <p class=3D"m_-6098983245031569182gmail-p2"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"></span><br></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>auth-nxdomain no;=C2=A0 =C2=A0 # conform to
> RFC1035</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1"><span class=3D"m_-6098983245031569182gmail-
> Apple-tab-span">=
> >       </span>listen-on-v6 { any; };</span></p>
> > <p class=3D"m_-6098983245031569182gmail-p2">server-id none;<br><span
> class=
> > =3D"m_-6098983245031569182gmail-s1"></span></p>
> > <p class=3D"m_-6098983245031569182gmail-p1"><span
> class=3D"m_-6098983245031=
> > 569182gmail-s1">};</span></p><p class=3D"m_-
> 6098983245031569182gmail-p1"><s=
> > pan class=3D"m_-6098983245031569182gmail-s1"><br></span></p><p
> class=3D"m_-=
> > 6098983245031569182gmail-p1"><span class=3D"m_-
> 6098983245031569182gmail-s1"=
> > >Still lookup requests =C2=A0like -=C2=A0</span><span
> style=3D"font-variant=
> > -ligatures:no-common-ligatures;font-family:menlo;font-size:14px">nslookup
> 1=
> > 0.10.2.20 127.0.0.1 are sent to 8.8.4.4.</span></p><p
> class=3D"m_-609898324=
> > 5031569182gmail-p1"><span style=3D"font-variant-
> ligatures:no-common-ligatur=
> > es;font-family:menlo;font-size:14px">=C2=A0</span></p>
> >
> >
> >
> >
> >
> >
> >
> > </div></div><div class=3D"HOEnZb"><div class=3D"h5"><div
> class=3D"gmail_ext=
> > ra"><br><div class=3D"gmail_quote">On Tue, Nov 22, 2016 at 4:27 PM, Tony
> Fi=
> > nch <span dir=3D"ltr"><<a href=3D"mailto:dot at dotat.at"
> target=3D"_blank"=
> > >dot at dotat.at</a>></span> wrote:<br><blockquote
> class=3D"gmail_quote" st=
> > yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc
> solid;padding-left:1ex"><span=
> > >Sachin Patil <<a href=3D"mailto:04sachin at gmail.com"
> target=3D"_blank">0=
> > 4sachin at gmail.com</a>> wrote:<br>
> > <br>
> > > I want to return nxdomain for any private ip reverse lookup.<br>
> > <br>
> > </span>BIND does this by default. Look for "built-in empty
> zones"=
> >  in<br>
> > <a href=3D"https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/
> Bv9ARM.ch06.html"=
> >  rel=3D"noreferrer" target=3D"_blank">https://ftp.isc.org/isc/bind9/
> <wbr>cu=
> > r/9.11/doc/arm/Bv9ARM.ch06.h<wbr>tml</a><br>
> > <span class=3D"m_-6098983245031569182HOEnZb"><font
> color=3D"#888888"><br>
> > Tony.<br>
> > --<br>
> > f.anthony.n.finch=C2=A0 <<a href=3D"mailto:dot at dotat.at"
> target=3D"_blan=
> > k">dot at dotat.at</a>>=C2=A0 <a href=3D"http://dotat.at/"
> rel=3D"noreferre=
> > r" target=3D"_blank">http://dotat.at/</a>=C2=A0 -=C2=A0 I xn--zr8h
> punycode=
> > <br>
> > Southeast Iceland: Northerly 4 or 5, becoming variable 3 or 4. Rough
> becomi=
> > ng<br>
> > moderate. Wintry showers. Good, occasionally moderate.<br>
> > </font></span></blockquote></div><br></div>
> > </div></div></blockquote></div><br></div>
> >
> > --94eb2c07e998dce6290541f2192e--
> >
> > --===============4737655251929363984==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===============4737655251929363984==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161124/ca9ed704/attachment-0001.html>


More information about the bind-users mailing list