LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   DNS bind 9.8.2 el6 x86 forwarding with no recursive lookups (https://www.linuxquestions.org/questions/linux-server-73/dns-bind-9-8-2-el6-x86-forwarding-with-no-recursive-lookups-4175452905/)

shawnshawn 03-06-2013 01:02 AM
DNS bind 9.8.2 el6 x86 forwarding with no recursive lookups
 
I haven't found much on the web specifically about this so I wanted to ask if anybody knows if it is possible to have Bind configured as forwarding only, with no recursive queries allowed?
This would be on an authoritative master.

The reasoning for this is due to company (best practice) security policies stating that an authoritative master should not allow recursive queries. We do have a separate server dedicated for recursion that we can forward to. Root hints is also implemented but is suggested to be removed as well.

I've tested with the following in named.conf:

options {
forwarders {
x.x.x.x;
x.x.x.x;
x.x.x.x;
};

forward only;
allow-transfer { tranz; };
allow-query { none; };
recursion no;
};

zone "." {
type hint;
file "root.cache";
};

zone "abc.com" {
type master;
file "db.abc";
allow-query { any; };
allow-update { none; };
allow-transfer { key server01-server02; }; };

If I run bind with this configuration the client's query gets denied.

The only way I've been able to get forwarding and queries to work is if I allow recursive queries either by not adding anything about recursion (defaults to yes) or adding allow-recursion (restricted with an ACL).

I'm no DNS Bind expert so I wanted to confirm if recursion must be allowed in this case.

Thx in advance.

shawnshawn 03-06-2013 10:28 PM
Nevermind I think I found what I needed.

Looks like with forward only it doesn't allow recursion anyways.

Forward-only servers
When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion."

http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

u2013 05-08-2013 02:24 PM
? selected domains Forward on master dns while limiting recursion ?
 
Maybe you can help me out with the following.

INITIAL INFO:
The dns servers run at least bind 9.3.x.x.x.
Recursion is on by default and limited globally via allow-recursion as part of options.

Meanings below:
IPA = IP Address
IPAR = IP Address Range
NS-IPA = Name Server IP Address.
The config has been simplified for this example.

Contents of named.conf file.
----------------------------

options {
directory "/var/named";
allow-recursion { IPAR1; IPAR2; IPAR3; IPA1; IPA2; IPA3; localnets; localhost; };
allow-transfer { IPA4; IPA5; IPA6; IPA7; localhost; };
listen-on{
127.0.0.1;
IPA1;
IPA2;
IPA3;
};
check-names master ignore;
};

logging {
category lame-servers {null; };
};

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "forward.localhost";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "reverse.127.0.0";
allow-update { none; };
};

zone "exampledomain1.com"{
type master;
file "db.exampledomain1.com";
};

zone "exampledomain2.com" {
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};

zone "exampledomain3.com"{
type master;
file "db.exampledomain3.com";
};
-----------------

PROBLEM:
For the forwarded domain name of exampledomain2.com, it seems that the outside world is not getting forwarded to NS-IPA8 or NS-IPA9, and a REFUSED response gotten.
If on this dns server a lookup of the exampledomain2.com is done, then the IPA for exampledomain2.com gets cached and upon further requests by public Internet for exampledomain2.com, an IPA is provided from cache.

QUESTIONS:
So, is there no way to have the forward work while having recursion limited (basically having recursion seen as set to no from the Internet's point of view)?

What about putting a "recursion yes;" in the zone section?
Making it this:
zone "exampledomain2.com" {
recursion yes;
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};


I want the dns server to do recursion for only specific networks and/or IPAs and, and be master for domain names, and forward query requests for some domain names to two other dns servers.

shawnshawn 05-09-2013 03:20 AM
I haven't experimented with your type of config so I might not be of much help.
My server is just doing "forward only" for everything.

From what I've read, putting "type forward" and "forward only" in a specific zone should override what you have in the options section.

I'm not sure if "recursion yes" is a valid zone clause.
I don't see it listed here:
http://www.zytrax.com/books/dns/ch7/zone.html
..but maybe something's changed with your bind version.

It seems that something like this might work for you...
http://gleamynode.net/articles/2267/
...but instead of having "forward only" in your options section you would have something like what you put:
options {
allow-recursion { allowed_list; };
allow-query { allowed_list; };
}

acl "allowed_list" {
127.0.0.1;
x.x.x.x/24;
x.x.x.x;
};

Restricting recursions, etc. and then you could add your master zones and forward zones.
Hopefully this helps.

u2013 05-09-2013 11:59 AM
TY. recursion not in zones. Taking a look at references.
 
I have determined that recursion is not available in zones.
Okay, taking a look at the references you provided.
Thank you.

Examining usage of ACL along with view clause.


All times are GMT -5. The time now is 10:42 AM.