Forward zone inside a view

Kevin Darcy kevin.darcy at fcagroup.com
Tue Feb 12 22:45:49 UTC 2019 

Define root zone.

Delegate teamviewer.com from root zone.

Define teamviewer.com as "type forward".

"recursion no" is incompatible with *any* type of forwarding or iterative
resolution. Should only be used if *everything* you resolve is from
authoritative data, i.e. for a hosting-only BIND instance. Since you want
to forward -- selectively -- you need "recursion yes". Nothing outside of
that part of the namespace will be forwarded, since named considers
everything else to be contained in the root zone.


    - Kevin

On Mon, Feb 11, 2019 at 9:06 AM Roberto Carna <robertocarna36 at gmail.com>
wrote:

> Matus, I've followed whatyou say:
>
> view "internet" {
>    match-clients { internet_clients; key "pnet"; };
>
> recursion yes;
>
> zone "teamviewer.com" {
>         type forward;
>         forward only;
>         forwarders {
>                 8.8.8.8;
>         };
> };
>
> };
>
> but clients can resolve ANY public Internet domain, in addition to
> teamviewer.com....I think "recursion yes" apply to every public domain and
> not just for "teamviewer.com", but I don't know why.
>
> Please can yoy give me more details, using forward or not, how can let
> some clients resolve just teamviewer.com ??? I confirm that my BIND is an
> authorittaive name server for internal domains.
>
> Thanks a lot again.
>
> El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<
> uhlar at fantomas.sk>) escribió:
>
>> On 11.02.19 10:38, Roberto Carna wrote:
>> >Dear Mathus, thanks al lot for your help.
>> >
>> >>> what is the point of running DNS server with only two hostnames
>> allowed
>> >>> to resolve?
>> >
>> >The point is I have several desktops that must have access only to
>> internal
>> >domains. The unique exception is they have access to teamviewer.com  in
>> >order to download the Teamviewer client and a pair of operations in this
>> >public domain.
>>
>> if you disable recursion, any client using that server will only have
>> access
>> to the domains that are configured on that server internally.
>>
>> That also means they won't be allowed to contact any internal domains,
>> unless you configure those internal domains on that server.
>> Also no windows updates, nothing.
>>
>> >I think if I have setup "recursion = no", if I define a forward zone with
>> >"type forward" and the corresponding forwarder, this option enable the
>> >recursion just for this defined zone.
>>
>> No. Forward zone means recursion. "recursion no" is designed for
>> authoritative servers, not servers like there.
>>
>> >In general, my question is how to forward a public domain to a DNS
>> resolver
>> >like 8.8.8.8 ???
>>
>> configure it as "type forward" and forwarders to 8.8.8.8. However, BIND
>> can
>> do resolution well without forwarding. Also, this seems to be just the
>> opposite wht you describe above.
>>
>> >El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<
>> uhlar at fantomas.sk>)
>> >escribió:
>> >
>> >> On 07.02.19 16:30, Roberto Carna wrote:
>> >> >Desktops I mentioned can only access to web apps from internal
>> domains,
>> >> but
>> >> >in some web apps there are links to download Teamviewer client
>> software
>> >> >from Internet. I can create a private zone "teamviewer.com" with all
>> the
>> >> >hostnames and IP's we will use, but if they change I will be in
>> trouble.
>> >> >
>> >> >So we need to forward the query to our resolvers in order to get a
>> valid
>> >> >response.
>> >> >
>> >> >So I think we can use the forward option from BIND, but it doesn't
>> work at
>> >> >all as I described:
>> >> >
>> >> >1. "recursion no" can only be set at the top (view) level, not
>> overridden
>> >> >   at the zone level.
>> >> >
>> >> >2. If I set "recursion no" at the view level, then a "type forward"
>> >> >   zone has no effect:
>> >> >
>> >> >  view "foo" {
>> >> >    recursion no;
>> >> >    ...
>> >> >    zone "teamviewer.com" {
>> >> >      type forward;
>> >> >      forward only;
>> >> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >> >    };
>> >> >
>> >> >-- query for foo.teamviewer.com fails and tell it's not a recursive
>> query
>> >>
>> >> the whole point of "recursion no" is not to answer recursive queries,
>> >> so there should be no wonder it works that way.
>> >>
>> >>
>> >> >3. If I define "recursion yes" at view level:
>> >> >
>> >> >  view "foo" {
>> >> >    recursion yes;
>> >> >    ...
>> >> >    zone "teamviewer.com" {
>> >> >      type forward;
>> >> >      forward only;
>> >> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >> >    };
>> >> >
>> >> >-- query for foo.teamviewer.com is OK, but also I get response OK
>> from
>> >> >foo.ibm.com, foo.google.com, and any other public domain from
>> Internet
>> >> >(and this is not what I want, it's what I'm trying to prevent))
>> >> >
>> >> >So can you help me please???
>> >>
>> >> you still have not answered my question:
>> >>
>> >> >> what is the point of running DNS server with only two hostnames
>> allowed
>> >> to
>> >> >> resolve?
>> >>
>> >> However, you can define empty type master "." zone, and bind will
>> return
>> >> NXDOMAIN for anything other.
>> >>
>> >>
>> >> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
>> >> uhlar at fantomas.sk>)
>> >> >escribió:
>> >> >
>> >> >> On 07.02.19 14:58, Roberto Carna wrote:
>> >> >> >In our company we have several desktops from two different cities
>> >> >> accessing
>> >> >> >only to internal domains distributed in two views in a private BIND
>> >> with
>> >> >> >authoritative zones, where I've defined "recursion no;".
>> >> >> >
>> >> >> >But now we have to let them access to *.teamviewer.com hostnames,
>> just
>> >> >> this
>> >> >> >public domain and not other.
>> >> >>
>> >> >> btw, when did linux.org change to teamviewer.com?
>> >> >>
>> >> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
>> >> BIND
>> >> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
>> >> created a
>> >> >> >third view with this information in named.conf.local:
>> >> >> >
>> >> >> >acl internet { 10.0.0.0/24 };
>> >> >> >
>> >> >> >view "internet" {
>> >> >> >
>> >> >> >   match-clients { internet; key "custom"; };
>> >> >> >
>> >> >> > recursion yes;
>> >> >> >
>> >> >> > zone "teamviewer.com" {
>> >> >> >
>> >> >> >        type forward;
>> >> >> >
>> >> >> >        forward only;
>> >> >> >
>> >> >> >        forwarders {
>> >> >> >
>> >> >> >                172.18.1.1;
>> >> >> >
>> >> >> >                172.18.1.2;
>> >> >> >
>> >> >> >        };
>> >> >> >
>> >> >> >};
>> >> >>
>> >> >>
>> >> >> >I defined "recursion yes" but the BIND servers forwards all the
>> public
>> >> >> >domains queries to our resolvers and not just for "teamviewer.com
>> ",
>> >> so it
>> >> >> >doesn't work. And if I change for "recursion no", the query
>> >> >> >www.teamviewer.com is refused and at the client side appears an
>> error
>> >> >> >telling that recursion is necessary.
>> >> >>
>> >> >> of course, BIND will resolve other domains (recurse) only when you
>> >> allow it
>> >> >> to recurse.
>> >> >>
>> >> >> >So I let desktops resolve all the Internet domains or neither, and
>> >> this is
>> >> >> >not what I want because I just want to let them resolve just
>> >> >> teamviewer.com.
>> >> >> >
>> >> >> >How can I do to forward only teamviewer.com zone queries to my
>> >> >> resolvers???
>> >> >>
>> >>
>> >> --
>> >> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
>> >> Warning: I wish NOT to receive e-mail advertising to this address.
>> >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> >> Eagles may soar, but weasels don't get sucked into jet engines.
>> >> _______________________________________________
>> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> >> unsubscribe from this list
>> >>
>> >> bind-users mailing list
>> >> bind-users at lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/bind-users
>> >>
>>
>> >_______________________________________________
>> >Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> >
>> >bind-users mailing list
>> >bind-users at lists.isc.org
>> >https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>> --
>> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> The early bird may get the worm, but the second mouse gets the cheese.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190212/7dd61231/attachment.html>

More information about the bind-users mailing list