forward zone

Matus UHLAR - fantomas uhlar at fantomas.sk
Sat Oct 27 12:13:55 UTC 2018


>>On 26.10.18 00:12, Frédéric Lochon wrote:
>>>Today, I just set-up a new zone of type "forward" but I have 
>>>trouble to make it work properly:
>>>- my home network is allowed to send queries because it is "trusted"
>>>- nobody from outside my home network is allowed to send queries 
>>>because it is not "trusted"
>>>
>>>As you can't have "allow-query" in a zone of type "forward", I 
>>>don't find any nice solution.

>Le 26/10/2018 à 09:21, Matus UHLAR - fantomas via bind-users a écrit :
>>You can and you also need to add allow-query for it.  However, since 
>>forward
>>zone is not stored locally, all requests for it are fowarded, so you must
>>allow recursion for the zone, if you want to allow everyone to use it.

On 27.10.18 13:53, Frédéric Lochon wrote:
>This is what I wanted to do. But allow-query and allow-recursion are 
>not allowed inside a zone of type forward.

aha. I haven't looked at possibbility of allow-recursion for "type forward"
zone. allow-query still seems to be supported, even if it ouldn't forward...

>That's why I'm looking for another solution.

>>Now I have a question, why do you want people from outside to access 
>>forward
>>zone? can't you slave it instead?

>At the beginning I wanted to detect some specific DNS queries on my BIND.
>Those queries are dummy (answers too...). It's used by some IoT 
>devices to send "heartbeats" by using open access points with captive 
>portal (usually, DNS queries are sent even if you don't authenticate).

IoT devices in your network should have recursion allowed.

>So my first idea was to use BIND logging capabilities, but that's not 
>applicable because BIND only log everything or nothing.
>
>So, I decided to write my own DNS server which would detect those 
>queries, and because I have only 1 IPv4, I would let BIND forward the 
>queries to my custom server (running on the same IP but another port).
>
>Thus, slaving is not possible, as queries would be seen only by BIND.

because of caching by BIND, the other server would only see some of those
queries too.

However, if you want to find out what traffic do your IoT devices send, you
could try capturing or duplicating their traffic on router...

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".


More information about the bind-users mailing list