Finer control over REFUSED, e.g. root referrals

[Fred Morris]

Hello, I appreciated your earlier comment regarding some shared utopian
internet citizen responsibility to have a port 53 listener on every
address... or not.

On 9/8/25 7:42 AM, Michael Richardson wrote:
> Fred Morris <m3047 at m3047.net> wrote:
>     > It needs to recurse to gather the data which it is intended to deliver.
>     > It also runs RPZ configured as a WAF ("web application firewall". I
>     > know, this is DNS. deal with the cognitive dissonance, starting with the
>     > fact that RPZ is referred to as a "DNS firewall" pretty much everywhere)
>     > so that only specific, pre-determined queries are allowed. I don't run
>     > RRL, I have other measures.
>
> Does this work:
>      * turn off recursion on the "front" facing server.
>      * use forwarders to forward to an internally facing server that does
>        have recursion on.  This can be an alias on lo.  It could even be a view.
>
> I'm not sure if will really work.... reads Bind9-doc..
>
>    "Forwarding can also be configured on a per-domain basis, allowing for the
>    global forwarding options to be overridden in a variety of
>    ways. Particular domains can be set to use different forwarders, or have a
>    different forward only/first behavior, or not forward at all; see zone."
>
> I'm unclear if forwarding is allowed when not recursing.

A truly helpful person made some suggestions off-list, and I ended up
trying some things based on "any" and "! any" but it didn't pan out. I
didn't try forward zones, just static-stub. But it somehow interpreted
it as "recursion" and somehow disabled it, so if you haven't tried it...
we're back to "business logic". My earlier experiment relied on
allow-query { [!] all; } and I don't see that in the doc for forward
zones. So unless you had something different in mind...

> Given that this DNS server is not serving a zone which needs to be publically
> reachable,
It does need to be publicly reachable, it's just not part of The DNS. At
least until somebody does that; and of course they will. Honestly in the
fog of war nobody will care. But I care.
> the concern about an attacker pointing a zone at your server, and
> then setting off timeouts elsewhere seems less of a problem.
Could be a problem, could be an opportunity. I don't know. I'm reading
that _Silence is not Golden_ paper now. Is there some other paper which
I should review?
> As I understand it, your WAF is the only client for this redis data?
The "WAF" is "the RPZ implementation integral to BIND". If it didn't
exist then anything allowed by RKVDNS would be exposed.
> Why can't your ACL things out?

Waaat? Addresses? That's handled by the adaptive firewall. I have bigger
fish to fry roast crisp batter and fry bake etc etc. Yum yum!

It's "any" and "! any".

> Even if you have to acceptlist all of EC2 or
> something, that would still be a win right?

http://consulting.m3047.net/dubai-letters/balkanized-internet.html

Picture: "this is fine" with a cage of creatures roasting in hell while
I don't care and am completely unaffected. I'll do biz with what is left.

> The second question is why your front-end DNS isn't a secondary for all of
> these zones?  Is rkvdns incapable of that?

Yes, it is incapable of zone snapshots. You don't want my monologue as
the manager of a key/value store regarding "all the things!". You don't
want my long monologue as a former document management SME. Although, I
will state that the serial number notion remains relevant for the
management aspects of the zone, and RKVDNS probably falls short there.

--

Fred Morris, internet plumber


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250908/4182fdcd/attachment.htm>