<div> Hmm.... many thanks Kevin for that!<br>
<br>
<font face="Arial, Helvetica, sans-serif">What I am trying to establish is something more like an ISP DNS server set, of course they would probably be doing exactly what you suggested:<br>
<br>
"</font><font face="Arial, Helvetica, sans-serif">If you want to allow a *limited* set of clients on the other side of
your NAT to query Internet names, then add them to the "internal" view.
Optionally, change the name of the "internal" view to something which
more accurately reflects its intent, e.g. "trusted_ranges" or whatever. "<br>
</font></div>
<div> <font face="Arial, Helvetica, sans-serif"><br>
I don't know about the root dns servers themselves if they are provisioned like this but really it's just an open end experiment in my test lab.<br>
<br>
I did include the root "." zone in the external view before which didn't work either so I guess if I can get that particular zone to work with any public IP address then I can later create a "trusted_wan" zone in which certain public IP addresses are accepted for recursive lookup for root servers.<br>
<br>
For example if I added:<br>
<br>
</font><font face="Arial, Helvetica, sans-serif">zone "." { <br>
type hint; <br>
file "/etc/opt/csw/bind/db.root"; <br>
}; <br>
<br>
to both external and internal views would that work??<br>
<br>
so if I did something more like this:<br>
<br>
</font><font face="Arial, Helvetica, sans-serif">acl internals { <br>
127.0.0.0/8; <br>
192.168.0.0/22; <br>
}; <br>
include "/etc/opt/csw/bind/named.conf.options"; <br>
<br>
// View for internal clients <br>
<br>
view "internal" { <br>
match-clients { internals; }; <br>
allow-recursion { 192.168.0.0/22; 127.0.0.1; }; <br>
<br>
// be authoritative for the localhost forward and reverse zones, and for <br>
// broadcast zones as per RFC 1912
> <br>
<br>
</font><font face="Arial, Helvetica, sans-serif">zone "." { <br>
type hint; <br>
file "/etc/opt/csw/bind/db.root"; <br>
};</font><br>
<font face="Arial, Helvetica, sans-serif"><br>
zone "localhost" { <br>
type master; <br>
file "/etc/opt/csw/bind/db.local"; <br>
};<br>
<br>
zone "127.in-addr.arpa" { <br>
type master;
> // file "/etc/opt/csw/bind/db.127"; <br>
};<br>
<br>
zone "0.in-addr.arpa" { <br>
type master;
> // file "/etc/opt/csw/bind/db.0"; <br>
};<br>
<br>
zone "255.in-addr.arpa" { <br>
type master; <br>
file "/etc/opt/csw/bind/db.255"; <br>
}; <br>
<br>
include "/etc/opt/csw/bind/named.conf.local"; <br>
<br>
};</font><br>
<font face="Arial, Helvetica, sans-serif"><br>
</font><font face="Arial, Helvetica, sans-serif">view "external" { <br>
match-clients { any; !192.168.0.0/22; !127.0.0.1; }; <br>
allow-recursion { 127.0.0.1; }; <br>
include "/etc/opt/csw/bind/named.conf.external"; <br>
<br>
</font><font face="Arial, Helvetica, sans-serif">zone "." { <br>
type hint; <br>
file "/etc/opt/csw/bind/db.root"; <br>
};</font><br>
<font face="Arial, Helvetica, sans-serif">
<br>
};<br>
<br>
Then later I could build another view once my network grows over the internet without taking into consideration VPN's for the moment:<br>
<br>
</font><font face="Arial, Helvetica, sans-serif">view "trusted_wan" {</font><br>
<font face="Arial, Helvetica, sans-serif">match-clients { IP1; IP2; !192.168.0.0/22; !127.0.0.1; }; <br>
allow-recursion { 127.0.0.1; }; <br>
include "/etc/opt/csw/bind/named.conf.external"; <br>
<br>
</font><font face="Arial, Helvetica, sans-serif">zone "." { <br>
type hint; <br>
file "/etc/opt/csw/bind/db.root"; <br>
};<br>
<br>
};<br>
<br>
and slot this view after the "internal" view! What do you think?<br>
<br>
Kaya<br>
</font><font face="Arial, Helvetica, sans-serif"><br>
</font></div>
<div> <br>
</div>
-----Original Message-----<br>
From: Kevin Darcy <kcd@chrysler.com><br>
To: <font face="Arial, Helvetica, sans-serif">bind-users@lists.isc.org</font><br>
Sent: Wed, Jul 1, 2009 2:23 am<br>
Subject: Re: Using DNS servers to query root servers from WAN<br>
<br>
<div id="AOLMsgPart_0_3db0dda9-2520-47bd-8e3f-ac484b0b23a8" style="margin: 0px; font-family: Tahoma,Verdana,Arial,Sans-Serif; font-size: 12px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
The first view matched is the one which is selected. <br>
<br>
External clients are matching the "external" view, but they are not
allowed to recurse. Therefore they can only see the root zone and/or
whatever authoritative zones you've defined in that "include" file. <br>
<br>
Note that the "all" view is *never* matched, since everything will have
already matched "internal" or "external" before getting that far. <br>
<br>
The bigger security question is: why would you want arbitrary external
clients to be able to query arbitrary names through you? That makes you
an "open recursor" and ripe for cache poisoning, etc. <br>
<br>
<font face="Arial, Helvetica, sans-serif">If you want to allow a *limited* set of clients on the other side of
your NAT to query Internet names, then add them to the "internal" view.
Optionally, change the name of the "internal" view to something which
more accurately reflects its intent, e.g. "trusted_ranges" or whatever. </font><br>
<br>
- Kevin <br>
<br>
<font face="Arial, Helvetica, sans-serif"><a __removedlink__1597215343__href="mailto:samankaya@netscape.net"></a></font><br>
</div>
<!-- end of AOLMsgPart_0_3db0dda9-2520-47bd-8e3f-ac484b0b23a8 -->
<div id='MAILCIAMA034-d1c64a4aa3e5311' class='aol_ad_footer'><br/><font style="color:black;font:normal 10pt arial,san-serif;"> <hr style="margin-top:10px"/><B>An Excellent Credit Score is 750. <A HREF=http://pr.atwola.com/promoclk/100126575x1222377075x1201454393/aol?redir=http://www.freecreditreport.com/pm/default.aspx?sc=668072%26hmpgID=62%26bcd=JuneExcfooterNO62>See Yours in Just 2 Easy Steps!</A></B></font> </div>