LinuxQuestions.org - Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients (https://www.linuxquestions.org/questions/linux-networking-3/can-bind-9-dns-resolve-names-based-on-whos-asking-internal-vs-external-clients-193742/)

Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients

Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!

From a practical point of view, I gotta ask why it's necessary to resolve your internal machines?

There have to be hundreds of different opinions about "how" to use dns, and I have my own preferences as you do, but for me, to have an Internet accessible dns server resolving "non-internet" services seems unnecessary..

To make 'machine1.mydomain.com' resolve to a non-routable network goes against the RFCs..

I rather prefer to install a small dns proxy eg dnsmasq internally to do that, which then uses your bind server as well as external servers to resolve Internet numbers.
A separate hosts file is maintained containing all your local, dmz and dynamic numbers. It can even check dhcp records..

Getting back to Bind..
Have a look at this mailimg list question to get an idea on setting up access control with 'views'
http://marc.theaimsgroup.com/?l=bind...0826202891&w=2
& http://marc.theaimsgroup.com/?l=bind...0874008651&w=2 for a correction..

Re: Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients

Quote:

Originally posted by registering
Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!

Yep check BIND9 documentaion. You can use "acl" directive or the "view" directive. You can do all sorts of things with BIND. I don;t think you can restrict viewings within a zone. You are better off defining internal and external domains and sticking acls/views.