<div dir="ltr"><div>9.5.5 is old -- upgrade.</div><div><br></div><div>But, to the architecture issue... sounds like you need an "internal root with forwarding exceptions" setup.</div><div><ul><li>As per best practices, consider separating the recursive-resolver and hosting functions into separate views, separate named instances (listening on different IPs) or even separate server instances.<br></li><li>If you opt *not* to make such a separation, then at the very least, you'll need to replace "recursion no" with "allow-recursion", permitting localhost and internal clients. In the absence of recursion being allowed, none of your "type forward" zone definitions are going to work.<br></li><li>Define an internal root zone that contains delegations for the parts of the namespace that you want to resolve for your internal clients, either from authoritative data or via forwarding. Being delegated allows non-authoritative parts of the namespace to resolve sanely, via "type forward" (aka selective or conditional forwarding) definitions in named.conf. Queries for anything that doesn't fall under a delegation gets NXDOMAIN from your internal root zone, which I believe meets your requirements. Note that selective/conditional forwarding is for a whole branch of the namespace -- if you want to carve out some parts of a namespace that are forwarded, and others that aren't, or if the delegation hierarchy seen through forwarding differs from the structure you want internally, then it gets complicated, but I won't belabor the point here, since I don't know if you have such a requirement or not. Note also that when running an internal root, you'll need to make arrangements for reverse resolution (the in-addr.arpa and ip6.arpa namespaces).</li></ul></div><div>In skeletal form, a view-based separation would look something like:</div><div><br></div><div>view internal</div><div> match-clients xxx # could also use match-destinations, if listening on multiple IPs</div><div> recursion yes # the default</div><div> zone "." # with delegations</div><div> internal zone #1</div><div> internal zone #2</div><div> etc.</div><div> forwarded zone #1</div><div> forwarded zone #2</div><div> etc.</div><div>view hosting</div><div> match-clients all # if not matched above</div><div> recursion no</div><div> hosted zone #1</div><div> hosted zone #2</div><div> etc.</div><div><br></div><div>If you separate by named instance and/or server instance, then each of those views would just become the default view for each instance (with no "match" clause obviously), and you would protect the "internal" listen-on address from external queries via your normal access-control methods (routing, firewalls, etc.)</div><div><div><br></div><div> - Kevin</div></div><div><br></div><div>P.S. I assume that "<a href="http://corp.intranet.de/" target="_blank" style="font-family:"Courier New"">corp.intranet.de</a>" in your example config is one of the domains you described as intended to be resolvable from the Internet, but you don't show a zone-level "allow-query", so, as it stands, it wouldn't be resolvable outside of your internal network. I'm guessing this was just an oversight when you composed your example config...</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 13, 2018 at 6:01 AM Sig Pam <<a href="mailto:spam@itserv.de" target="_blank">spam@itserv.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DE" link="#0563C1" vlink="#954F72"><div class="m_1793313520103320502m_-6399320149832568246m_-1935408523492664043WordSection1"><p class="MsoNormal">Hi all!<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-GB">I’m really despairing on a configuration, and start to wonder if it is possible at all.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">Running Bind 9.5.5, I want to serve IP-Addresses for my internal network only, and none from the internet, except for a few domains. The idea is I don’t want any intranet client to be able to resolve Internet addresses, except for a few domains like Microsoft.com and others.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">My named.config looks like this (shortened, copied together from multiple files including others):<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">acl intranet_nets {<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> <a href="http://192.168.94.0/24" target="_blank">192.168.94.0/24</a>;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> <a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a>;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> };<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">options {<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> directory "/var/cache/bind";<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-query { localhost; intranet_nets;};<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-query-cache { localhost; intranet_nets;};<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt;text-indent:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">recursion no; # switching this on would resolve ANY Internet address, which I don’t want<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> dnssec-validation auto;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> auth-nxdomain no; # conform to RFC1035<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> listen-on-v6 { any; };<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">};<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">zone "<a href="http://corp.intranet.de" target="_blank">corp.intranet.de</a>" { <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> type master; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> file "/etc/bind/<a href="http://db.corp.intranet.de" target="_blank">db.corp.intranet.de</a>";<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-transfer { 192.168.94.242; }; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-update { none;};<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> };<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">zone "94.168.192.in-addr.arpa" { <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> type master; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> file "/etc/bind/db.94.168.192"; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-transfer { 192.168.94.242; }; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> allow-update { none;}; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""> };<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">zone "<a href="http://microsoft.com" target="_blank">microsoft.com</a>" IN {<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt;text-indent:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">type forward;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt;text-indent:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">forwarders { 9.9.9.9; 194.150.168.168; 8.8.8.8; 8.8.4.4; }; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.4pt;text-indent:35.4pt"><span lang="EN-GB" style="font-family:"Courier New"">};<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">Running this configuration, my local addresses are correctly resolved, external addresses not (good), but DNS-requests for the domain Microsoft.com neither (bad!).<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">I actually wonder if “forward” is the right keyword (is forward = answer to the client: “don’t ask me, ask one of the forwarders” ???), or if I’m totally on the wrong way.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB">Any support on how to implement this setup is highly appreciated,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB"> Sig<u></u><u></u></span></p></div></div>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>