Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients
Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!
From a practical point of view, I gotta ask why it's necessary to resolve your internal machines?
There have to be hundreds of different opinions about "how" to use dns, and I have my own preferences as you do, but for me, to have an Internet accessible dns server resolving "non-internet" services seems unnecessary..
To make 'machine1.mydomain.com' resolve to a non-routable network goes against the RFCs..
I rather prefer to install a small dns proxy eg dnsmasq internally to do that, which then uses your bind server as well as external servers to resolve Internet numbers.
A separate hosts file is maintained containing all your local, dmz and dynamic numbers. It can even check dhcp records..
Re: Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients
Quote:
Originally posted by registering Hi,
While I'm not really sure if it is a security issue, I would prefer to not have all my LAN machine names resolved if someone from the internet is asking. However I want them all resolved if someone inside my LAN is asking. For example, if mymachine.mydomain.com exists, and someone from the internet asks, I don't want bind to give it anything, but if someone inside asks for mymachine or mymachine.mydomain.com, I'd like it resolved. External clients should only get a subset of all possible names resolved (e.g., www.mydomain.com).
Right now my DNS resolves mymachine using a LAN IP (192.168.0.xxx), which should be useless to anyone OUTSIDE my LAN, but I get a feeling there's a more secure way to do this. Does anyone know if this is true? Can BIND do this? Is there an advantage to doing it this way, like better security or am I just wasting time?
Thanks for any advice!
Yep check BIND9 documentaion. You can use "acl" directive or the "view" directive. You can do all sorts of things with BIND. I don;t think you can restrict viewings within a zone. You are better off defining internal and external domains and sticking acls/views.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.