DNS bind 9.8.2 el6 x86 forwarding with no recursive lookups
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
DNS bind 9.8.2 el6 x86 forwarding with no recursive lookups
I haven't found much on the web specifically about this so I wanted to ask if anybody knows if it is possible to have Bind configured as forwarding only, with no recursive queries allowed?
This would be on an authoritative master.
The reasoning for this is due to company (best practice) security policies stating that an authoritative master should not allow recursive queries. We do have a separate server dedicated for recursion that we can forward to. Root hints is also implemented but is suggested to be removed as well.
If I run bind with this configuration the client's query gets denied.
The only way I've been able to get forwarding and queries to work is if I allow recursive queries either by not adding anything about recursion (defaults to yes) or adding allow-recursion (restricted with an ACL).
I'm no DNS Bind expert so I wanted to confirm if recursion must be allowed in this case.
Looks like with forward only it doesn't allow recursion anyways.
Forward-only servers
When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion."
zone "localhost" IN {
type master;
file "forward.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "reverse.127.0.0";
allow-update { none; };
};
zone "exampledomain1.com"{
type master;
file "db.exampledomain1.com";
};
zone "exampledomain2.com" {
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};
zone "exampledomain3.com"{
type master;
file "db.exampledomain3.com";
};
-----------------
PROBLEM:
For the forwarded domain name of exampledomain2.com, it seems that the outside world is not getting forwarded to NS-IPA8 or NS-IPA9, and a REFUSED response gotten.
If on this dns server a lookup of the exampledomain2.com is done, then the IPA for exampledomain2.com gets cached and upon further requests by public Internet for exampledomain2.com, an IPA is provided from cache.
QUESTIONS:
So, is there no way to have the forward work while having recursion limited (basically having recursion seen as set to no from the Internet's point of view)?
What about putting a "recursion yes;" in the zone section?
Making it this:
zone "exampledomain2.com" {
recursion yes;
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};
I want the dns server to do recursion for only specific networks and/or IPAs and, and be master for domain names, and forward query requests for some domain names to two other dns servers.
I haven't experimented with your type of config so I might not be of much help.
My server is just doing "forward only" for everything.
From what I've read, putting "type forward" and "forward only" in a specific zone should override what you have in the options section.
I'm not sure if "recursion yes" is a valid zone clause.
I don't see it listed here:
http://www.zytrax.com/books/dns/ch7/zone.html
..but maybe something's changed with your bind version.
It seems that something like this might work for you...
http://gleamynode.net/articles/2267/
...but instead of having "forward only" in your options section you would have something like what you put:
options {
allow-recursion { allowed_list; };
allow-query { allowed_list; };
}
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.