Forward zone inside a view
Roberto Carna
robertocarna36 at gmail.com
Thu Feb 7 19:30:58 UTC 2019
Dear, thanks for your contact. I've used teamviewer.com just for tests.
Desktops I mentioned can only access to web apps from internal domains, but
in some web apps there are links to download Teamviewer client software
from Internet. I can create a private zone "teamviewer.com" with all the
hostnames and IP's we will use, but if they change I will be in trouble.
So we need to forward the query to our resolvers in order to get a valid
response.
So I think we can use the forward option from BIND, but it doesn't work at
all as I described:
1. "recursion no" can only be set at the top (view) level, not overridden
at the zone level.
2. If I set "recursion no" at the view level, then a "type forward"
zone has no effect:
view "foo" {
recursion no;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com fails and tell it's not a recursive query
3. If I define "recursion yes" at view level:
view "foo" {
recursion yes;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com is OK, but also I get response OK from
foo.ibm.com, foo.google.com, and any other public domain from Internet
(and this is not what I want, it's what I'm trying to prevent))
So can you help me please???
Regards.
El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<uhlar at fantomas.sk>)
escribió:
> On 07.02.19 14:58, Roberto Carna wrote:
> >In our company we have several desktops from two different cities
> accessing
> >only to internal domains distributed in two views in a private BIND with
> >authoritative zones, where I've defined "recursion no;".
> >
> >But now we have to let them access to *.teamviewer.com hostnames, just
> this
> >public domain and not other.
>
> btw, when did linux.org change to teamviewer.com?
>
> >So I've implemented the forwarding of "teamviewer.com" zone to our BIND
> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
> >third view with this information in named.conf.local:
> >
> >acl internet { 10.0.0.0/24 };
> >
> >view "internet" {
> >
> > match-clients { internet; key "custom"; };
> >
> > recursion yes;
> >
> > zone "teamviewer.com" {
> >
> > type forward;
> >
> > forward only;
> >
> > forwarders {
> >
> > 172.18.1.1;
> >
> > 172.18.1.2;
> >
> > };
> >
> >};
>
>
> >I defined "recursion yes" but the BIND servers forwards all the public
> >domains queries to our resolvers and not just for "teamviewer.com", so it
> >doesn't work. And if I change for "recursion no", the query
> >www.teamviewer.com is refused and at the client side appears an error
> >telling that recursion is necessary.
>
> of course, BIND will resolve other domains (recurse) only when you allow it
> to recurse.
>
> >So I let desktops resolve all the Internet domains or neither, and this is
> >not what I want because I just want to let them resolve just
> teamviewer.com.
> >
> >How can I do to forward only teamviewer.com zone queries to my
> resolvers???
>
> what is the point of running DNS server with only two hostnames allowed to
> resolve?
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190207/67a6619a/attachment.html>
More information about the bind-users
mailing list