type forward with no recursive flag "rd -" --> Does it work?

Fredrik Lysén fredrik.lysen at uadm.uu.se
Thu Oct 30 08:27:14 UTC 2014 

I do agree with you regarding the security perspective. I've tried both
scenarios you describe.
The "slaving" part throwing me error in bind, and today we only have
5000 clients in dns "windns.mycompany.se" within a year we'll have
~15000 dynamic clients.
That is why I'm looking for a other solution not being a "slave".
 
This is a snippet from the logfile in bind:
Sep 16 13:06:37 scopus named[10172]: error: transfer of
'windns.mycompany.se/IN/internal' from 1.1.2.2#53: failed while
receiving responses: not exact

My biggest concern is how this will scale, maybe I can ignore the error?

In a perfect world I would take care of the windows clients native in
bind, but this is not a perfect world this is a university :-)

Brgd
Fredrik
 
On 10/29/2014 08:51 PM, Mark Andrews wrote:
> Firstly people over think DNS.  99.99% of times there is no need
> to have a internal zone at all.  Hiding internal hostnames and
> addresses has almost no security benefit at all.
>
> acl internal { .... };
>
> view internal {
>     match-clients { internal; };
>     zone mycompany.se  {  ... };
>     zone windns.mycompany.se  { type slave; masters { windows server };  ...};
> };
>
> view external {
>     match-clients { any; };
>     zone mycompany.se  { .... };
>     zone windns.mycompany.se  { type master; file "windns.mycompany.se.db"; };
> };
>
> Where windns.mycompany.se.db is consists of SOA and NS records which match
> those of mycompany.se.  It is a empty zone.
>
> @	SOA ...
> @	NS ...
> @	NS ...
>
> Or you can even do it without a views
>
> acl internal { .... };
> zone mycompany.se  { .... };
> zone windns.mycompany.se  {
>     type slave;
>     masters { windows server };
>     file "windns.mycompany.se.bk"'
>     allow-query { internal; };
>     allow-transfer { internal; };
> }; 
>
> In message <C84E9BC18F8D074983FE0DCB8525DB2B331578F6 at COLUMBA02.user.uu.se>, =?i
> so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>> Thanks Mark for rapid response,
>> To have a working solution for both clients and resolvers with "type
>> forward" statement, you also have to delegate and declare NS on the same
>> tree level?
>>
>> Problem:
>> I take advantage of slit-dns having view "internal" and "external". Our
>> zone "windns.mycompany.se" are strictly an internal matter, and only
>> appear in view "internal". Zone  mycompany.se are in the view "external",
>> I don't like populating NS records to my internal zone
>> "windns.mycompany.se"!
>>
>> I don know if there is an internal client or internal resolver asking my
>> DNS questions, I can only see if the RD bit are set or not and if the
>> query are from "my trusted network" (view "internal").
>>
>> Regards
>> Fredrik
>>
>> On 10/27/2014 09:21 PM, Mark Andrews wrote:
>>
>>
>> Just delegate windns.mycompany.se.  Add something like this to
>> mycompany.se.
>>
>>         windns.mycompany.se NS nameserver
>>         windns.mycompany.se NS nameserver
>>
>> As as to the answer to your question, no.   Forward zones redirect
>> recursive from the nameserver queries.
>>
>> Mark
>>
>> In message
>> <C84E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se><mailto:C84
>> E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se>, =?i
>> so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>>
>>
>> Hi,
>> When having one zone "windns.mycompany.se" hosted and handled by an
>> other nameserver (Windows AD) declared as:
>> zone "windns.mycompany.se" {
>>         type forward;
>>         forward only;
>>         forwarders {10.0.0.1; 10.0.0.2;};
>> };
>>
>> Rest of the zones exist on our primary BIND dns caching nameserver.
>>
>> Client looking for "windns.mycompany.se" will have an answer because the
>> recursive flag rd (+) are stated and query will be resolved via
>> forwarders.
>> When a resolver looking for same information, resolver will send
>> recursive rd (-), and the resolver will never get information regarding
>> zone  "windns.mycompany.se".
>>
>> Question:
>> Shouldn't "Asking the forwarders" be prioritized before the "recursive
>> rd (-)" flag are taken into consideration? Otherwise I can't see how a
>> resolver ever will find information in the forward zone
>> "windns.mycompany.se".
>>
>> Cheers
>> Fredrik Lys=E9n =
>>
>> _______________________________________________
>> bind-workers mailing list
>> bind-workers at lists.isc.org<mailto:bind-workers at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-workers
>>
>>
>>
>>
>>
>>

More information about the bind-workers mailing list