Forward zone does not work when allow recursive is restrictive

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Forward zone does not work when allow recursive is restrictive

Sebastian Neumann
Hey there,

I am having an issue forwarding DNS queries and was hoping, that one of you might be able to help me:

I have the following setup:

DNS-Server reachable from the internet, is authoritative for zone foo.com
DNS-Server reachable only locally, should be authoritative for zone test.lab.foo.com
What I try to achieve:

When a DNS query from the outside world reaches the first DNS server for a record belonging to the zone test.lab.foo.com, I want it to make a recursive request to the second DNS server and then forward the records.

I explicitly don't want to do zone transfers or make the second DNS server reachable from the internet.

my configuration looks like this: (I only copied the [what I think] important parts to here, as all the Config would be a few hundret lines (because of split view and many zones)

On the first DNS-Server

options {
allow-recursion {
localnets;
localhost;
internal;
my-datacenter;
mc-office;
};
};

zone "test.lab.foo.com" {
forward only;
forwarders {
<private IP of second DNS server>;
};
type forward;
};

zone "foo.com" {
file "/etc/bind/zones/foo.com.zone";
type master;
};
My issue:

When I am in a local network, that is whitelisted in the allow-recursion block, then it works as expected. When I try the DNS lookup from the internet, then i get a NOERROR with an empty response back.

During debugging, I adjusted the allow-recursion list and added any to it. Then it was working. But I don't want my DNS server to allow any kind of recursion. I actually only want "outside" lookups for this one specific zones to be recursive.

How can I set something like allow-recursion for just one zone?

Thanks a lot already
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone does not work when allow recursive is restrictive

Mark Andrews
“forward” does not mean “proxy".  Additionally servers out on the internet make iterative queries.  They are non-recursive *AND* follow delegations.  Making a proxy work is more that just relaying the request and the response.

BIND does not support proxying other servers.

> On 10 Feb 2021, at 08:44, Sebastian Neumann <[hidden email]> wrote:
>
> Hey there,
>
> I am having an issue forwarding DNS queries and was hoping, that one of you might be able to help me:
>
> I have the following setup:
>
> DNS-Server reachable from the internet, is authoritative for zone foo.com
> DNS-Server reachable only locally, should be authoritative for zone test.lab.foo.com
> What I try to achieve:
>
> When a DNS query from the outside world reaches the first DNS server for a record belonging to the zone test.lab.foo.com, I want it to make a recursive request to the second DNS server and then forward the records.
>
> I explicitly don't want to do zone transfers or make the second DNS server reachable from the internet.
>
> my configuration looks like this: (I only copied the [what I think] important parts to here, as all the Config would be a few hundret lines (because of split view and many zones)
>
> On the first DNS-Server
>
> options {
> allow-recursion {
> localnets;
> localhost;
> internal;
> my-datacenter;
> mc-office;
> };
> };
>
> zone "test.lab.foo.com" {
> forward only;
> forwarders {
> <private IP of second DNS server>;
> };
> type forward;
> };
>
> zone "foo.com" {
> file "/etc/bind/zones/foo.com.zone";
> type master;
> };
> My issue:
>
> When I am in a local network, that is whitelisted in the allow-recursion block, then it works as expected. When I try the DNS lookup from the internet, then i get a NOERROR with an empty response back.
>
> During debugging, I adjusted the allow-recursion list and added any to it. Then it was working. But I don't want my DNS server to allow any kind of recursion. I actually only want "outside" lookups for this one specific zones to be recursive.
>
> How can I set something like allow-recursion for just one zone?
>
> Thanks a lot already
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone does not work when allow recursive is restrictive

crazyfred
In reply to this post by Sebastian Neumann
This is very similar to what I wanted to do some time ago, but concluded
this is not possible with bind.

But, I've modified bind in order to be able to do that anyway.
The trick was to use a "static-stub" zone with a small modification in
bind code.

In my bind-9.16.6, I modified file query.c to look like that:

lib/ns/query.c


/*
          * Non recursive query to a static-stub zone is prohibited; its
          * zone content is not public data, but a part of local
configuration
          * and should not be disclosed.
          */
         /*if (dns_zone_gettype(zone) == dns_zone_staticstub &&
             !RECURSIONOK(client)) {
                 return (DNS_R_REFUSED);
         }*/
         if (dns_zone_gettype(zone) == dns_zone_staticstub)
                 client->query.attributes |= NS_QUERYATTR_RECURSIONOK;



One "if" was commented to remove the check on recursion.
One "if" was added to "force" recursion.

With this modification, I turned bind to some kind of proxy for a sub-zone.
I don't really know if there are some nasty side effects, but in my case
this is not a real problem because I don't normally use static-stub
zones excepted for one very specific usage.

Maybe some bind expert would like to comment on this.

Frédéric Lochon.

Le 09/02/2021 à 22:44, Sebastian Neumann a écrit :

> Hey there,
>
> I am having an issue forwarding DNS queries and was hoping, that one
> of you might be able to help me:
>
> I have the following setup:
>
> DNS-Server reachable from the internet, is authoritative for zone foo.com
> DNS-Server reachable only locally, should be authoritative for zone
> test.lab.foo.com
> What I try to achieve:
>
> When a DNS query from the outside world reaches the first DNS server
> for a record belonging to the zone test.lab.foo.com, I want it to make
> a recursive request to the second DNS server and then forward the records.
>
> I explicitly don't want to do zone transfers or make the second DNS
> server reachable from the internet.
>
> my configuration looks like this: (I only copied the [what I think]
> important parts to here, as all the Config would be a few hundret
> lines (because of split view and many zones)
>
> On the first DNS-Server
>
> options {
> allow-recursion {
> localnets;
> localhost;
> internal;
> my-datacenter;
> mc-office;
> };
> };
>
> zone "test.lab.foo.com" {
> forward only;
> forwarders {
> <private IP of second DNS server>;
> };
> type forward;
> };
>
> zone "foo.com" {
> file "/etc/bind/zones/foo.com.zone";
> type master;
> };
> My issue:
>
> When I am in a local network, that is whitelisted in the
> allow-recursion block, then it works as expected. When I try the DNS
> lookup from the internet, then i get a NOERROR with an empty response
> back.
>
> During debugging, I adjusted the allow-recursion list and added any to
> it. Then it was working. But I don't want my DNS server to allow any
> kind of recursion. I actually only want "outside" lookups for this one
> specific zones to be recursive.
>
> How can I set something like allow-recursion for just one zone?
>
> Thanks a lot already
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users