LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-06-2013, 01:02 AM   #1
shawnshawn
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Rep: Reputation: Disabled
DNS bind 9.8.2 el6 x86 forwarding with no recursive lookups


I haven't found much on the web specifically about this so I wanted to ask if anybody knows if it is possible to have Bind configured as forwarding only, with no recursive queries allowed?
This would be on an authoritative master.

The reasoning for this is due to company (best practice) security policies stating that an authoritative master should not allow recursive queries. We do have a separate server dedicated for recursion that we can forward to. Root hints is also implemented but is suggested to be removed as well.

I've tested with the following in named.conf:

options {
forwarders {
x.x.x.x;
x.x.x.x;
x.x.x.x;
};

forward only;
allow-transfer { tranz; };
allow-query { none; };
recursion no;
};

zone "." {
type hint;
file "root.cache";
};

zone "abc.com" {
type master;
file "db.abc";
allow-query { any; };
allow-update { none; };
allow-transfer { key server01-server02; }; };

If I run bind with this configuration the client's query gets denied.

The only way I've been able to get forwarding and queries to work is if I allow recursive queries either by not adding anything about recursion (defaults to yes) or adding allow-recursion (restricted with an ACL).

I'm no DNS Bind expert so I wanted to confirm if recursion must be allowed in this case.

Thx in advance.
 
Old 03-06-2013, 10:28 PM   #2
shawnshawn
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Nevermind I think I found what I needed.

Looks like with forward only it doesn't allow recursion anyways.

Forward-only servers
When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion."

http://technet.microsoft.com/en-us/l...(v=ws.10).aspx
 
1 members found this post helpful.
Old 05-08-2013, 02:24 PM   #3
u2013
LQ Newbie
 
Registered: Apr 2013
Posts: 14

Rep: Reputation: Disabled
? selected domains Forward on master dns while limiting recursion ?

Maybe you can help me out with the following.

INITIAL INFO:
The dns servers run at least bind 9.3.x.x.x.
Recursion is on by default and limited globally via allow-recursion as part of options.

Meanings below:
IPA = IP Address
IPAR = IP Address Range
NS-IPA = Name Server IP Address.
The config has been simplified for this example.

Contents of named.conf file.
----------------------------

options {
directory "/var/named";
allow-recursion { IPAR1; IPAR2; IPAR3; IPA1; IPA2; IPA3; localnets; localhost; };
allow-transfer { IPA4; IPA5; IPA6; IPA7; localhost; };
listen-on{
127.0.0.1;
IPA1;
IPA2;
IPA3;
};
check-names master ignore;
};

logging {
category lame-servers {null; };
};

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "forward.localhost";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "reverse.127.0.0";
allow-update { none; };
};

zone "exampledomain1.com"{
type master;
file "db.exampledomain1.com";
};

zone "exampledomain2.com" {
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};

zone "exampledomain3.com"{
type master;
file "db.exampledomain3.com";
};
-----------------

PROBLEM:
For the forwarded domain name of exampledomain2.com, it seems that the outside world is not getting forwarded to NS-IPA8 or NS-IPA9, and a REFUSED response gotten.
If on this dns server a lookup of the exampledomain2.com is done, then the IPA for exampledomain2.com gets cached and upon further requests by public Internet for exampledomain2.com, an IPA is provided from cache.

QUESTIONS:
So, is there no way to have the forward work while having recursion limited (basically having recursion seen as set to no from the Internet's point of view)?

What about putting a "recursion yes;" in the zone section?
Making it this:
zone "exampledomain2.com" {
recursion yes;
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};


I want the dns server to do recursion for only specific networks and/or IPAs and, and be master for domain names, and forward query requests for some domain names to two other dns servers.
 
Old 05-09-2013, 03:20 AM   #4
shawnshawn
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
I haven't experimented with your type of config so I might not be of much help.
My server is just doing "forward only" for everything.

From what I've read, putting "type forward" and "forward only" in a specific zone should override what you have in the options section.

I'm not sure if "recursion yes" is a valid zone clause.
I don't see it listed here:
http://www.zytrax.com/books/dns/ch7/zone.html
..but maybe something's changed with your bind version.

It seems that something like this might work for you...
http://gleamynode.net/articles/2267/
...but instead of having "forward only" in your options section you would have something like what you put:
options {
allow-recursion { allowed_list; };
allow-query { allowed_list; };
}

acl "allowed_list" {
127.0.0.1;
x.x.x.x/24;
x.x.x.x;
};

Restricting recursions, etc. and then you could add your master zones and forward zones.
Hopefully this helps.
 
Old 05-09-2013, 11:59 AM   #5
u2013
LQ Newbie
 
Registered: Apr 2013
Posts: 14

Rep: Reputation: Disabled
TY. recursion not in zones. Taking a look at references.

I have determined that recursion is not available in zones.
Okay, taking a look at the references you provided.
Thank you.

Examining usage of ACL along with view clause.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
EL 5.x v.s. EL6.x | BIND Root Hint Referral Reponse List - DifferenceEl 5.x v.s. EL6. harmandeep Linux - Server 0 10-06-2011 06:20 AM
DNS BIND--Forwarding Not Working machismo64 Linux - Server 3 04-15-2009 06:17 PM
stopping dns forwarding requests in BIND shreeram.vk Linux - Server 3 07-10-2008 06:40 AM
Bind DNS - Find machine requesting lots of failing lookups humbletech99 Linux - Security 1 11-29-2007 07:50 AM
forwarding Public IP address in BIND DNS on RedHat Linux EL3 pudhiyavan Linux - Networking 0 05-19-2005 04:16 AM


All times are GMT -5. The time now is 06:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration