Forward zone inside a view

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Forward zone inside a view

Roberto Carna
Dear, I have Bind 9.10.3 as our private DNS service with two views, one of them let some clients to query linux.org domain from Internet forwarding the query to our Bind resolvers, but the query is refused by our private Bind.

The private Bind has these main parameters in named.conf.options:

options {
        directory "/var/cache/bind";
        allow-transfer {"none";};

       dnssec-validation auto;
        dnssec-enable yes;
        auth-nxdomain no;   
        allow-query { any; };
        recursion no;
        version "none";
};

And this is te relevant part of named.conf.local:

acl internet { 10.0.0.0/24; };

view "INTERNET" {
   match-clients { internet; key "custom";};

zone "linux.org" {
        type forward;
        forward only;
        forwarders {
                172.18.1.1;
                172.18.1.2;
        };
};

};

Please can you help me in forward the query for linux.org hostnames from the private BIND with the views to our resolvers?

Thanks a lot!!!

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Tony Finch
Roberto Carna <[hidden email]> wrote:

> Dear, I have Bind 9.10.3 as our private DNS service with two views, one of
> them let some clients to query linux.org domain from Internet forwarding
> the query to our Bind resolvers, but the query is refused by our private
> Bind.

You can't forward to an authoritative-only server. Use a static-stub zone
configuration instead.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Tyne: West, backing south, 5 to 7. Slight or moderate, occasionally rough
later. Showers. Good occasionally moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Dear Tony, I forward the "linux.org" queries from our private Bind to our Bind resolvers (they have authoritative public zones and also they are resolvers that forward the queries to 8.8.8.8).

So why you say they are authoritative only servers?

A I said, can I still use the forward option for "linux.org" ???

Thanks a lot again!!!

El jue., 7 feb. 2019 a las 11:05, Tony Finch (<[hidden email]>) escribió:
Roberto Carna <[hidden email]> wrote:

> Dear, I have Bind 9.10.3 as our private DNS service with two views, one of
> them let some clients to query linux.org domain from Internet forwarding
> the query to our Bind resolvers, but the query is refused by our private
> Bind.

You can't forward to an authoritative-only server. Use a static-stub zone
configuration instead.

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Tyne: West, backing south, 5 to 7. Slight or moderate, occasionally rough
later. Showers. Good occasionally moderate.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Tony Finch
Roberto Carna <[hidden email]> wrote:

> Dear Tony, I forward the "linux.org" queries from our private Bind to our
> Bind resolvers (they have authoritative public zones and also they are
> resolvers that forward the queries to 8.8.8.8).
>
> So why you say they are authoritative only servers?

Oh, I misread your explanation, I thought the "recursion no" in your
configuration was on the target server. But it is on the server with the
"type forward" zone, and since forwarding requires recursion, it will not
work.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Shannon: Southwest 7 to severe gale 9, veering west gale 8 to storm 10 later.
Very rough, becoming high or very high. Rain or squally showers. Poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Tony, as you said forwarding requires recursion but when I define:

zone "linux.org" {
        recursion yes;
        type forward;
        forward only;
        forwarders {
                172.18.1.1;
                172.18.1.2;
        };

and after that I restart bind9 service, it fails:

unknown option 'recursion'

So how can I define "recursion yes" just for the zone "linux.org" ???

Sorry for my newquestion, I'd appreciate your help.

Regards!!!


El jue., 7 feb. 2019 a las 11:26, Tony Finch (<[hidden email]>) escribió:
Roberto Carna <[hidden email]> wrote:

> Dear Tony, I forward the "linux.org" queries from our private Bind to our
> Bind resolvers (they have authoritative public zones and also they are
> resolvers that forward the queries to 8.8.8.8).
>
> So why you say they are authoritative only servers?

Oh, I misread your explanation, I thought the "recursion no" in your
configuration was on the target server. But it is on the server with the
"type forward" zone, and since forwarding requires recursion, it will not
work.

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Shannon: Southwest 7 to severe gale 9, veering west gale 8 to storm 10 later.
Very rough, becoming high or very high. Rain or squally showers. Poor.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
When I query www.teamviewer from a desktop, I fail and get this error in dig:

 WARNING: recursion requested but not available

In BIND I have in named.conf.local:

zone "linux.org" {
        type forward;
        forwarders {
                172.18.1.1;
                172.18.1.2;
        };

and "recursion no;" is defined in named.conf.options.

How can enable the recursion for linux.org queries in order to forward them to my resolvers???

Thanks a lot

El jue., 7 feb. 2019 a las 11:40, Roberto Carna (<[hidden email]>) escribió:
Tony, as you said forwarding requires recursion but when I define:

zone "linux.org" {
        recursion yes;
        type forward;
        forward only;
        forwarders {
                172.18.1.1;
                172.18.1.2;
        };

and after that I restart bind9 service, it fails:

unknown option 'recursion'

So how can I define "recursion yes" just for the zone "linux.org" ???

Sorry for my newquestion, I'd appreciate your help.

Regards!!!


El jue., 7 feb. 2019 a las 11:26, Tony Finch (<[hidden email]>) escribió:
Roberto Carna <[hidden email]> wrote:

> Dear Tony, I forward the "linux.org" queries from our private Bind to our
> Bind resolvers (they have authoritative public zones and also they are
> resolvers that forward the queries to 8.8.8.8).
>
> So why you say they are authoritative only servers?

Oh, I misread your explanation, I thought the "recursion no" in your
configuration was on the target server. But it is on the server with the
"type forward" zone, and since forwarding requires recursion, it will not
work.

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Shannon: Southwest 7 to severe gale 9, veering west gale 8 to storm 10 later.
Very rough, becoming high or very high. Rain or squally showers. Poor.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Tony Finch
In reply to this post by Roberto Carna
Roberto Carna <[hidden email]> wrote:
>
> So how can I define "recursion yes" just for the zone "linux.org" ???

You can turn recursion on and off for the entire server, or per view, but
not per zone.

It isn't clear to me what you want this server to do. If it is providing
DNS service to end-user devices (if it is configured in /etc/resolv.conf
or advertised by DHCP) then it needs to provide recursive service. If not,
then I am even more confused about what you are trying to do!

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
St Davids Head to Great Orme Head, including St Georges Channel: Southwest 5
or 6, increasing 7 to severe gale 9. Moderate or rough becoming very rough.
Rain and drizzle, squally showers later. Moderate or good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Ok Tony, please let me explain to you.

In our company we have several desktops from two different cities accessing only to internal domains distributed in two views in a private BIND with authoritative zones, where I've defined "recursion no;".

But now we have to let them access to *.teamviewer.com hostnames, just this public domain and not other.

So I've implemented the forwarding of "teamviewer.com" zone to our BIND resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a third view with this information in named.conf.local:

acl internet { 10.0.0.0/24 };

view "internet" {

   match-clients { internet; key "custom"; };

 recursion yes;

 zone "teamviewer.com" {

        type forward;

        forward only;

        forwarders {

                172.18.1.1;

                172.18.1.2;

        };

};


I defined "recursion yes" but the BIND servers forwards all the public domains queries to our resolvers and not just for "teamviewer.com", so it doesn't work. And if I change for "recursion no", the query www.teamviewer.com is refused and at the client side appears an error telling that recursion is necessary.

So I let desktops resolve all the Internet domains or neither, and this is not what I want because I just want to let them resolve just teamviewer.com.

How can I do to forward only teamviewer.com zone queries to my resolvers???

Sorry for my new message, special thanks Tony !!!

El jue., 7 feb. 2019 a las 13:41, Tony Finch (<[hidden email]>) escribió:
Roberto Carna <[hidden email]> wrote:
>
> So how can I define "recursion yes" just for the zone "linux.org" ???

You can turn recursion on and off for the entire server, or per view, but
not per zone.

It isn't clear to me what you want this server to do. If it is providing
DNS service to end-user devices (if it is configured in /etc/resolv.conf
or advertised by DHCP) then it needs to provide recursive service. If not,
then I am even more confused about what you are trying to do!

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
St Davids Head to Great Orme Head, including St Georges Channel: Southwest 5
or 6, increasing 7 to severe gale 9. Moderate or rough becoming very rough.
Rain and drizzle, squally showers later. Moderate or good, occasionally poor.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Matus UHLAR - fantomas
On 07.02.19 14:58, Roberto Carna wrote:
>In our company we have several desktops from two different cities accessing
>only to internal domains distributed in two views in a private BIND with
>authoritative zones, where I've defined "recursion no;".
>
>But now we have to let them access to *.teamviewer.com hostnames, just this
>public domain and not other.

btw, when did linux.org change to teamviewer.com?

>So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>third view with this information in named.conf.local:
>
>acl internet { 10.0.0.0/24 };
>
>view "internet" {
>
>   match-clients { internet; key "custom"; };
>
> recursion yes;
>
> zone "teamviewer.com" {
>
>        type forward;
>
>        forward only;
>
>        forwarders {
>
>                172.18.1.1;
>
>                172.18.1.2;
>
>        };
>
>};


>I defined "recursion yes" but the BIND servers forwards all the public
>domains queries to our resolvers and not just for "teamviewer.com", so it
>doesn't work. And if I change for "recursion no", the query
>www.teamviewer.com is refused and at the client side appears an error
>telling that recursion is necessary.

of course, BIND will resolve other domains (recurse) only when you allow it
to recurse.

>So I let desktops resolve all the Internet domains or neither, and this is
>not what I want because I just want to let them resolve just teamviewer.com.
>
>How can I do to forward only teamviewer.com zone queries to my resolvers???

what is the point of running DNS server with only two hostnames allowed to
resolve?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Dear, thanks for your contact. I've used teamviewer.com just for tests.

Desktops I mentioned can only access to web apps from internal domains, but in some web apps there are links to download Teamviewer client software from Internet. I can create a private zone "teamviewer.com" with all the hostnames and IP's we will use, but if they change I will be in trouble.

So we need to forward the query to our resolvers in order to get a valid response.

So I think we can use the forward option from BIND, but it doesn't work at all as I described:
1. "recursion no" can only be set at the top (view) level, not overridden
   at the zone level.

2. If I set "recursion no" at the view level, then a "type forward"
   zone has no effect:

  view "foo" {
    recursion no;
    ...
    zone "teamviewer.com" {
      type forward;
      forward only;
      forwarders {172.18.1.1; 172.18.1.2;};
    };

-- query for foo.teamviewer.com fails and tell it's not a recursive query

3. If I define "recursion yes" at view level:

  view "foo" {
    recursion yes;
    ...

zone "teamviewer.com" { type forward; forward only; forwarders {172.18.1.1; 172.18.1.2;}; }; -- query for foo.teamviewer.com is OK, but also I get response OK from foo.ibm.com, foo.google.com, and any other public domain from Internet (and this is not what I want, it's what I'm trying to prevent)) So can you help me please???
Regards.

El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<[hidden email]>) escribió:
On 07.02.19 14:58, Roberto Carna wrote:
>In our company we have several desktops from two different cities accessing
>only to internal domains distributed in two views in a private BIND with
>authoritative zones, where I've defined "recursion no;".
>
>But now we have to let them access to *.teamviewer.com hostnames, just this
>public domain and not other.

btw, when did linux.org change to teamviewer.com?

>So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>third view with this information in named.conf.local:
>
>acl internet { 10.0.0.0/24 };
>
>view "internet" {
>
>   match-clients { internet; key "custom"; };
>
> recursion yes;
>
> zone "teamviewer.com" {
>
>        type forward;
>
>        forward only;
>
>        forwarders {
>
>                172.18.1.1;
>
>                172.18.1.2;
>
>        };
>
>};


>I defined "recursion yes" but the BIND servers forwards all the public
>domains queries to our resolvers and not just for "teamviewer.com", so it
>doesn't work. And if I change for "recursion no", the query
>www.teamviewer.com is refused and at the client side appears an error
>telling that recursion is necessary.

of course, BIND will resolve other domains (recurse) only when you allow it
to recurse.

>So I let desktops resolve all the Internet domains or neither, and this is
>not what I want because I just want to let them resolve just teamviewer.com.
>
>How can I do to forward only teamviewer.com zone queries to my resolvers???

what is the point of running DNS server with only two hostnames allowed to
resolve?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Alan Clegg
On 2/7/19 2:30 PM, Roberto Carna wrote:
> Dear, thanks for your contact. I've used teamviewer.com
> <http://teamviewer.com> just for tests.
>
> Desktops I mentioned can only access to web apps from internal domains,
> but in some web apps there are links to download Teamviewer client
> software from Internet. I can create a private zone "teamviewer.com
> <http://teamviewer.com>" with all the hostnames and IP's we will use,
> but if they change I will be in trouble.

Sounds to me like a use for a global block with RPZ and a passthrough
for the domain that needs to be ... uh ... passed through.

And from my experience, this is never going to work because whatever the
"only thing we want to resolve" is, it will rely on something else that
you don't (currently) resolve.

Anyone that has ever tried to block their "smart TV" so that it only
allows certain apps but not others will know exactly what I'm talking about.

AlanC
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Paul Kosinski-2
I haven't analyzed the details and pitfalls, but could a Web proxy
mechanism of some sort be of help? In particular, rather than having
your users directly access "teamviewer.org" (or whatever), have them to
access "teamviewer.local", which is resolved by your internal DNS to a
specialized proxy server.

Then set up this proxy server to forward those requests to
"teamviewer.org", *not* its IP address (since that can, of course,
change). This is likely the hard part, but the proxy can at least
assume that it never gets HTTP(S) requests in general.

In other words, move the mapping one level up in the protocol stack,
from the DNS layer to the HTTP(S) layer.

And, if the proxy can support the equivalent of name-based hosting, then
it could support multiple local domain redirects, if needed in the
future.

P.S. PRIVOXY is probably able at least to do the redirect for a single
domain -- and it's lightweight.




On Thu, 7 Feb 2019 15:00:47 -0500
Alan Clegg <[hidden email]> wrote:

> On 2/7/19 2:30 PM, Roberto Carna wrote:
> > Dear, thanks for your contact. I've used teamviewer.com
> > <http://teamviewer.com> just for tests.
> >
> > Desktops I mentioned can only access to web apps from internal
> > domains, but in some web apps there are links to download
> > Teamviewer client software from Internet. I can create a private
> > zone "teamviewer.com <http://teamviewer.com>" with all the
> > hostnames and IP's we will use, but if they change I will be in
> > trouble.
>
> Sounds to me like a use for a global block with RPZ and a passthrough
> for the domain that needs to be ... uh ... passed through.
>
> And from my experience, this is never going to work because whatever
> the "only thing we want to resolve" is, it will rely on something
> else that you don't (currently) resolve.
>
> Anyone that has ever tried to block their "smart TV" so that it only
> allows certain apps but not others will know exactly what I'm talking
> about.
>
> AlanC

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Matus UHLAR - fantomas
In reply to this post by Roberto Carna
On 07.02.19 16:30, Roberto Carna wrote:

>Desktops I mentioned can only access to web apps from internal domains, but
>in some web apps there are links to download Teamviewer client software
>from Internet. I can create a private zone "teamviewer.com" with all the
>hostnames and IP's we will use, but if they change I will be in trouble.
>
>So we need to forward the query to our resolvers in order to get a valid
>response.
>
>So I think we can use the forward option from BIND, but it doesn't work at
>all as I described:
>
>1. "recursion no" can only be set at the top (view) level, not overridden
>   at the zone level.
>
>2. If I set "recursion no" at the view level, then a "type forward"
>   zone has no effect:
>
>  view "foo" {
>    recursion no;
>    ...
>    zone "teamviewer.com" {
>      type forward;
>      forward only;
>      forwarders {172.18.1.1; 172.18.1.2;};
>    };
>
>-- query for foo.teamviewer.com fails and tell it's not a recursive query

the whole point of "recursion no" is not to answer recursive queries,
so there should be no wonder it works that way.


>3. If I define "recursion yes" at view level:
>
>  view "foo" {
>    recursion yes;
>    ...
>    zone "teamviewer.com" {
>      type forward;
>      forward only;
>      forwarders {172.18.1.1; 172.18.1.2;};
>    };
>
>-- query for foo.teamviewer.com is OK, but also I get response OK from
>foo.ibm.com, foo.google.com, and any other public domain from Internet
>(and this is not what I want, it's what I'm trying to prevent))
>
>So can you help me please???

you still have not answered my question:

>> what is the point of running DNS server with only two hostnames allowed to
>> resolve?

However, you can define empty type master "." zone, and bind will return
NXDOMAIN for anything other.


>El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<[hidden email]>)
>escribió:
>
>> On 07.02.19 14:58, Roberto Carna wrote:
>> >In our company we have several desktops from two different cities
>> accessing
>> >only to internal domains distributed in two views in a private BIND with
>> >authoritative zones, where I've defined "recursion no;".
>> >
>> >But now we have to let them access to *.teamviewer.com hostnames, just
>> this
>> >public domain and not other.
>>
>> btw, when did linux.org change to teamviewer.com?
>>
>> >So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>> >third view with this information in named.conf.local:
>> >
>> >acl internet { 10.0.0.0/24 };
>> >
>> >view "internet" {
>> >
>> >   match-clients { internet; key "custom"; };
>> >
>> > recursion yes;
>> >
>> > zone "teamviewer.com" {
>> >
>> >        type forward;
>> >
>> >        forward only;
>> >
>> >        forwarders {
>> >
>> >                172.18.1.1;
>> >
>> >                172.18.1.2;
>> >
>> >        };
>> >
>> >};
>>
>>
>> >I defined "recursion yes" but the BIND servers forwards all the public
>> >domains queries to our resolvers and not just for "teamviewer.com", so it
>> >doesn't work. And if I change for "recursion no", the query
>> >www.teamviewer.com is refused and at the client side appears an error
>> >telling that recursion is necessary.
>>
>> of course, BIND will resolve other domains (recurse) only when you allow it
>> to recurse.
>>
>> >So I let desktops resolve all the Internet domains or neither, and this is
>> >not what I want because I just want to let them resolve just
>> teamviewer.com.
>> >
>> >How can I do to forward only teamviewer.com zone queries to my
>> resolvers???
>>

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Dear Mathus, thanks al lot for your help.

>> what is the point of running DNS server with only two hostnames allowed to
>> resolve? 

The point is I have several desktops that must have access only to internal domains. The unique exception is they have access to teamviewer.com  in order to download the Teamviewer client and a pair of operations in this public domain.

I think if I have setup "recursion = no", if I define a forward zone with "type forward" and the corresponding forwarder, this option enable the recursion just for this defined zone.

In general, my question is how to forward a public domain to a DNS resolver like 8.8.8.8 ???

Thanks again.

El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<[hidden email]>) escribió:
On 07.02.19 16:30, Roberto Carna wrote:
>Desktops I mentioned can only access to web apps from internal domains, but
>in some web apps there are links to download Teamviewer client software
>from Internet. I can create a private zone "teamviewer.com" with all the
>hostnames and IP's we will use, but if they change I will be in trouble.
>
>So we need to forward the query to our resolvers in order to get a valid
>response.
>
>So I think we can use the forward option from BIND, but it doesn't work at
>all as I described:
>
>1. "recursion no" can only be set at the top (view) level, not overridden
>   at the zone level.
>
>2. If I set "recursion no" at the view level, then a "type forward"
>   zone has no effect:
>
>  view "foo" {
>    recursion no;
>    ...
>    zone "teamviewer.com" {
>      type forward;
>      forward only;
>      forwarders {172.18.1.1; 172.18.1.2;};
>    };
>
>-- query for foo.teamviewer.com fails and tell it's not a recursive query

the whole point of "recursion no" is not to answer recursive queries,
so there should be no wonder it works that way.


>3. If I define "recursion yes" at view level:
>
>  view "foo" {
>    recursion yes;
>    ...
>    zone "teamviewer.com" {
>      type forward;
>      forward only;
>      forwarders {172.18.1.1; 172.18.1.2;};
>    };
>
>-- query for foo.teamviewer.com is OK, but also I get response OK from
>foo.ibm.com, foo.google.com, and any other public domain from Internet
>(and this is not what I want, it's what I'm trying to prevent))
>
>So can you help me please???

you still have not answered my question:

>> what is the point of running DNS server with only two hostnames allowed to
>> resolve?

However, you can define empty type master "." zone, and bind will return
NXDOMAIN for anything other.


>El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<[hidden email]>)
>escribió:
>
>> On 07.02.19 14:58, Roberto Carna wrote:
>> >In our company we have several desktops from two different cities
>> accessing
>> >only to internal domains distributed in two views in a private BIND with
>> >authoritative zones, where I've defined "recursion no;".
>> >
>> >But now we have to let them access to *.teamviewer.com hostnames, just
>> this
>> >public domain and not other.
>>
>> btw, when did linux.org change to teamviewer.com?
>>
>> >So I've implemented the forwarding of "teamviewer.com" zone to our BIND
>> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
>> >third view with this information in named.conf.local:
>> >
>> >acl internet { 10.0.0.0/24 };
>> >
>> >view "internet" {
>> >
>> >   match-clients { internet; key "custom"; };
>> >
>> > recursion yes;
>> >
>> > zone "teamviewer.com" {
>> >
>> >        type forward;
>> >
>> >        forward only;
>> >
>> >        forwarders {
>> >
>> >                172.18.1.1;
>> >
>> >                172.18.1.2;
>> >
>> >        };
>> >
>> >};
>>
>>
>> >I defined "recursion yes" but the BIND servers forwards all the public
>> >domains queries to our resolvers and not just for "teamviewer.com", so it
>> >doesn't work. And if I change for "recursion no", the query
>> >www.teamviewer.com is refused and at the client side appears an error
>> >telling that recursion is necessary.
>>
>> of course, BIND will resolve other domains (recurse) only when you allow it
>> to recurse.
>>
>> >So I let desktops resolve all the Internet domains or neither, and this is
>> >not what I want because I just want to let them resolve just
>> teamviewer.com.
>> >
>> >How can I do to forward only teamviewer.com zone queries to my
>> resolvers???
>>

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Matus UHLAR - fantomas
On 11.02.19 10:38, Roberto Carna wrote:
>Dear Mathus, thanks al lot for your help.
>
>>> what is the point of running DNS server with only two hostnames allowed
>>> to resolve?
>
>The point is I have several desktops that must have access only to internal
>domains. The unique exception is they have access to teamviewer.com  in
>order to download the Teamviewer client and a pair of operations in this
>public domain.

if you disable recursion, any client using that server will only have access
to the domains that are configured on that server internally.

That also means they won't be allowed to contact any internal domains,
unless you configure those internal domains on that server.
Also no windows updates, nothing.

>I think if I have setup "recursion = no", if I define a forward zone with
>"type forward" and the corresponding forwarder, this option enable the
>recursion just for this defined zone.

No. Forward zone means recursion. "recursion no" is designed for
authoritative servers, not servers like there.

>In general, my question is how to forward a public domain to a DNS resolver
>like 8.8.8.8 ???

configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
do resolution well without forwarding. Also, this seems to be just the
opposite wht you describe above.

>El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<[hidden email]>)
>escribió:
>
>> On 07.02.19 16:30, Roberto Carna wrote:
>> >Desktops I mentioned can only access to web apps from internal domains,
>> but
>> >in some web apps there are links to download Teamviewer client software
>> >from Internet. I can create a private zone "teamviewer.com" with all the
>> >hostnames and IP's we will use, but if they change I will be in trouble.
>> >
>> >So we need to forward the query to our resolvers in order to get a valid
>> >response.
>> >
>> >So I think we can use the forward option from BIND, but it doesn't work at
>> >all as I described:
>> >
>> >1. "recursion no" can only be set at the top (view) level, not overridden
>> >   at the zone level.
>> >
>> >2. If I set "recursion no" at the view level, then a "type forward"
>> >   zone has no effect:
>> >
>> >  view "foo" {
>> >    recursion no;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com fails and tell it's not a recursive query
>>
>> the whole point of "recursion no" is not to answer recursive queries,
>> so there should be no wonder it works that way.
>>
>>
>> >3. If I define "recursion yes" at view level:
>> >
>> >  view "foo" {
>> >    recursion yes;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com is OK, but also I get response OK from
>> >foo.ibm.com, foo.google.com, and any other public domain from Internet
>> >(and this is not what I want, it's what I'm trying to prevent))
>> >
>> >So can you help me please???
>>
>> you still have not answered my question:
>>
>> >> what is the point of running DNS server with only two hostnames allowed
>> to
>> >> resolve?
>>
>> However, you can define empty type master "." zone, and bind will return
>> NXDOMAIN for anything other.
>>
>>
>> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
>> [hidden email]>)
>> >escribió:
>> >
>> >> On 07.02.19 14:58, Roberto Carna wrote:
>> >> >In our company we have several desktops from two different cities
>> >> accessing
>> >> >only to internal domains distributed in two views in a private BIND
>> with
>> >> >authoritative zones, where I've defined "recursion no;".
>> >> >
>> >> >But now we have to let them access to *.teamviewer.com hostnames, just
>> >> this
>> >> >public domain and not other.
>> >>
>> >> btw, when did linux.org change to teamviewer.com?
>> >>
>> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
>> BIND
>> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
>> created a
>> >> >third view with this information in named.conf.local:
>> >> >
>> >> >acl internet { 10.0.0.0/24 };
>> >> >
>> >> >view "internet" {
>> >> >
>> >> >   match-clients { internet; key "custom"; };
>> >> >
>> >> > recursion yes;
>> >> >
>> >> > zone "teamviewer.com" {
>> >> >
>> >> >        type forward;
>> >> >
>> >> >        forward only;
>> >> >
>> >> >        forwarders {
>> >> >
>> >> >                172.18.1.1;
>> >> >
>> >> >                172.18.1.2;
>> >> >
>> >> >        };
>> >> >
>> >> >};
>> >>
>> >>
>> >> >I defined "recursion yes" but the BIND servers forwards all the public
>> >> >domains queries to our resolvers and not just for "teamviewer.com",
>> so it
>> >> >doesn't work. And if I change for "recursion no", the query
>> >> >www.teamviewer.com is refused and at the client side appears an error
>> >> >telling that recursion is necessary.
>> >>
>> >> of course, BIND will resolve other domains (recurse) only when you
>> allow it
>> >> to recurse.
>> >>
>> >> >So I let desktops resolve all the Internet domains or neither, and
>> this is
>> >> >not what I want because I just want to let them resolve just
>> >> teamviewer.com.
>> >> >
>> >> >How can I do to forward only teamviewer.com zone queries to my
>> >> resolvers???
>> >>
>>
>> --
>> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Eagles may soar, but weasels don't get sucked into jet engines.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>

>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/bind-users


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Roberto Carna
Matus, I've followed whatyou say:

view "internet" {
   match-clients { internet_clients; key "pnet"; };

recursion yes;

        type forward;
        forward only;
        forwarders {
                8.8.8.8;
        };
};

};

but clients can resolve ANY public Internet domain, in addition to teamviewer.com....I think "recursion yes" apply to every public domain and not just for "teamviewer.com", but I don't know why.

Please can yoy give me more details, using forward or not, how can let some clients resolve just teamviewer.com ??? I confirm that my BIND is an authorittaive name server for internal domains.

Thanks a lot again.

El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<[hidden email]>) escribió:
On 11.02.19 10:38, Roberto Carna wrote:
>Dear Mathus, thanks al lot for your help.
>
>>> what is the point of running DNS server with only two hostnames allowed
>>> to resolve?
>
>The point is I have several desktops that must have access only to internal
>domains. The unique exception is they have access to teamviewer.com  in
>order to download the Teamviewer client and a pair of operations in this
>public domain.

if you disable recursion, any client using that server will only have access
to the domains that are configured on that server internally.

That also means they won't be allowed to contact any internal domains,
unless you configure those internal domains on that server.
Also no windows updates, nothing.

>I think if I have setup "recursion = no", if I define a forward zone with
>"type forward" and the corresponding forwarder, this option enable the
>recursion just for this defined zone.

No. Forward zone means recursion. "recursion no" is designed for
authoritative servers, not servers like there.

>In general, my question is how to forward a public domain to a DNS resolver
>like 8.8.8.8 ???

configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
do resolution well without forwarding. Also, this seems to be just the
opposite wht you describe above.

>El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<[hidden email]>)
>escribió:
>
>> On 07.02.19 16:30, Roberto Carna wrote:
>> >Desktops I mentioned can only access to web apps from internal domains,
>> but
>> >in some web apps there are links to download Teamviewer client software
>> >from Internet. I can create a private zone "teamviewer.com" with all the
>> >hostnames and IP's we will use, but if they change I will be in trouble.
>> >
>> >So we need to forward the query to our resolvers in order to get a valid
>> >response.
>> >
>> >So I think we can use the forward option from BIND, but it doesn't work at
>> >all as I described:
>> >
>> >1. "recursion no" can only be set at the top (view) level, not overridden
>> >   at the zone level.
>> >
>> >2. If I set "recursion no" at the view level, then a "type forward"
>> >   zone has no effect:
>> >
>> >  view "foo" {
>> >    recursion no;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com fails and tell it's not a recursive query
>>
>> the whole point of "recursion no" is not to answer recursive queries,
>> so there should be no wonder it works that way.
>>
>>
>> >3. If I define "recursion yes" at view level:
>> >
>> >  view "foo" {
>> >    recursion yes;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com is OK, but also I get response OK from
>> >foo.ibm.com, foo.google.com, and any other public domain from Internet
>> >(and this is not what I want, it's what I'm trying to prevent))
>> >
>> >So can you help me please???
>>
>> you still have not answered my question:
>>
>> >> what is the point of running DNS server with only two hostnames allowed
>> to
>> >> resolve?
>>
>> However, you can define empty type master "." zone, and bind will return
>> NXDOMAIN for anything other.
>>
>>
>> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
>> [hidden email]>)
>> >escribió:
>> >
>> >> On 07.02.19 14:58, Roberto Carna wrote:
>> >> >In our company we have several desktops from two different cities
>> >> accessing
>> >> >only to internal domains distributed in two views in a private BIND
>> with
>> >> >authoritative zones, where I've defined "recursion no;".
>> >> >
>> >> >But now we have to let them access to *.teamviewer.com hostnames, just
>> >> this
>> >> >public domain and not other.
>> >>
>> >> btw, when did linux.org change to teamviewer.com?
>> >>
>> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
>> BIND
>> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
>> created a
>> >> >third view with this information in named.conf.local:
>> >> >
>> >> >acl internet { 10.0.0.0/24 };
>> >> >
>> >> >view "internet" {
>> >> >
>> >> >   match-clients { internet; key "custom"; };
>> >> >
>> >> > recursion yes;
>> >> >
>> >> > zone "teamviewer.com" {
>> >> >
>> >> >        type forward;
>> >> >
>> >> >        forward only;
>> >> >
>> >> >        forwarders {
>> >> >
>> >> >                172.18.1.1;
>> >> >
>> >> >                172.18.1.2;
>> >> >
>> >> >        };
>> >> >
>> >> >};
>> >>
>> >>
>> >> >I defined "recursion yes" but the BIND servers forwards all the public
>> >> >domains queries to our resolvers and not just for "teamviewer.com",
>> so it
>> >> >doesn't work. And if I change for "recursion no", the query
>> >> >www.teamviewer.com is refused and at the client side appears an error
>> >> >telling that recursion is necessary.
>> >>
>> >> of course, BIND will resolve other domains (recurse) only when you
>> allow it
>> >> to recurse.
>> >>
>> >> >So I let desktops resolve all the Internet domains or neither, and
>> this is
>> >> >not what I want because I just want to let them resolve just
>> >> teamviewer.com.
>> >> >
>> >> >How can I do to forward only teamviewer.com zone queries to my
>> >> resolvers???
>> >>
>>
>> --
>> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Eagles may soar, but weasels don't get sucked into jet engines.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>

>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/bind-users


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Timothe Litt
In reply to this post by Roberto Carna
On 11-Feb-19 08:38, Roberto Carna wrote:

> The point is I have several desktops that must have access only to
> internal domains. The unique exception is they have access to
> teamviewer.com <http://teamviewer.com>  in order to download the
> Teamviewer client and a pair of operations in this public domain.
>
(Ab)using the DNS for this is almost certainly the wrong approach,
though this sort of question comes up

frequently.

Any sufficiently motivated user can list a blacklisted domain in
HOSTS.TXT, change his DNS server

to a public one, use an IP address (obtained at home, the local internet
cafe, or elsewhere), or

use other work-arounds.

So besides being painful to set up, it's likely ineffective.  You can
clamp down on some of these with file

system or other administrative controls - but not all.  It will be a
frustrating path.

If you want (or are required) to create a walled garden, the only
effective approach is likely to be

a firewall configuration.  You can set it up to only allow traffic from
particular IP address to the permitted

ones.  And control protocols.  You can either send "not reachable" ICMP
responses, or redirect connection

attempts to a port-appropriate warning/notification service.  (e.g. a
web page, e-mail robot, etc.)

You need a process to update the firewall in the unlikely event that the
IP address of a permitted

service changes.  And if your clients get their addresses from DHCP,
you'll want to set up distinct

address pools - and possibly VLANs.

DNS is the wrong hammer for this nail. 

Whether you should hammer the nail at all is a political, not a
technical issue.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

On 11-Feb-19 08:38, Roberto Carna wrote:

> Dear Mathus, thanks al lot for your help.
>
> >> what is the point of running DNS server with only two hostnames allowed to
> >> resolve? 
>
> The point is I have several desktops that must have access only to
> internal domains. The unique exception is they have access to
> teamviewer.com <http://teamviewer.com>  in order to download the
> Teamviewer client and a pair of operations in this public domain.
>
> I think if I have setup "recursion = no", if I define a forward zone
> with "type forward" and the corresponding forwarder, this option
> enable the recursion just for this defined zone.
>
> In general, my question is how to forward a public domain to a DNS
> resolver like 8.8.8.8 ???
>
> Thanks again.
>
> El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas
> (<[hidden email] <mailto:[hidden email]>>) escribió:
>
>     On 07.02.19 16:30, Roberto Carna wrote:
>     >Desktops I mentioned can only access to web apps from internal
>     domains, but
>     >in some web apps there are links to download Teamviewer client
>     software
>     >from Internet. I can create a private zone "teamviewer.com
>     <http://teamviewer.com>" with all the
>     >hostnames and IP's we will use, but if they change I will be in
>     trouble.
>     >
>     >So we need to forward the query to our resolvers in order to get
>     a valid
>     >response.
>     >
>     >So I think we can use the forward option from BIND, but it
>     doesn't work at
>     >all as I described:
>     >
>     >1. "recursion no" can only be set at the top (view) level, not
>     overridden
>     >   at the zone level.
>     >
>     >2. If I set "recursion no" at the view level, then a "type forward"
>     >   zone has no effect:
>     >
>     >  view "foo" {
>     >    recursion no;
>     >    ...
>     >    zone "teamviewer.com <http://teamviewer.com>" {
>     >      type forward;
>     >      forward only;
>     >      forwarders {172.18.1.1; 172.18.1.2;};
>     >    };
>     >
>     >-- query for foo.teamviewer.com <http://foo.teamviewer.com> fails
>     and tell it's not a recursive query
>
>     the whole point of "recursion no" is not to answer recursive queries,
>     so there should be no wonder it works that way.
>
>
>     >3. If I define "recursion yes" at view level:
>     >
>     >  view "foo" {
>     >    recursion yes;
>     >    ...
>     >    zone "teamviewer.com <http://teamviewer.com>" {
>     >      type forward;
>     >      forward only;
>     >      forwarders {172.18.1.1; 172.18.1.2;};
>     >    };
>     >
>     >-- query for foo.teamviewer.com <http://foo.teamviewer.com> is
>     OK, but also I get response OK from
>     >foo.ibm.com <http://foo.ibm.com>, foo.google.com
>     <http://foo.google.com>, and any other public domain from Internet
>     >(and this is not what I want, it's what I'm trying to prevent))
>     >
>     >So can you help me please???
>
>     you still have not answered my question:
>
>     >> what is the point of running DNS server with only two hostnames
>     allowed to
>     >> resolve?
>
>     However, you can define empty type master "." zone, and bind will
>     return
>     NXDOMAIN for anything other.
>
>
>     >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas
>     (<[hidden email] <mailto:[hidden email]>>)
>     >escribió:
>     >
>     >> On 07.02.19 14:58, Roberto Carna wrote:
>     >> >In our company we have several desktops from two different cities
>     >> accessing
>     >> >only to internal domains distributed in two views in a private
>     BIND with
>     >> >authoritative zones, where I've defined "recursion no;".
>     >> >
>     >> >But now we have to let them access to *.teamviewer.com
>     <http://teamviewer.com> hostnames, just
>     >> this
>     >> >public domain and not other.
>     >>
>     >> btw, when did linux.org <http://linux.org> change to
>     teamviewer.com <http://teamviewer.com>?
>     >>
>     >> >So I've implemented the forwarding of "teamviewer.com
>     <http://teamviewer.com>" zone to our BIND
>     >> >resolvers servers (they forward DNS queries to 8.8.8.8). So
>     I've created a
>     >> >third view with this information in named.conf.local:
>     >> >
>     >> >acl internet { 10.0.0.0/24 <http://10.0.0.0/24> };
>     >> >
>     >> >view "internet" {
>     >> >
>     >> >   match-clients { internet; key "custom"; };
>     >> >
>     >> > recursion yes;
>     >> >
>     >> > zone "teamviewer.com <http://teamviewer.com>" {
>     >> >
>     >> >        type forward;
>     >> >
>     >> >        forward only;
>     >> >
>     >> >        forwarders {
>     >> >
>     >> >                172.18.1.1;
>     >> >
>     >> >                172.18.1.2;
>     >> >
>     >> >        };
>     >> >
>     >> >};
>     >>
>     >>
>     >> >I defined "recursion yes" but the BIND servers forwards all
>     the public
>     >> >domains queries to our resolvers and not just for
>     "teamviewer.com <http://teamviewer.com>", so it
>     >> >doesn't work. And if I change for "recursion no", the query
>     >> >www.teamviewer.com <http://www.teamviewer.com> is refused and
>     at the client side appears an error
>     >> >telling that recursion is necessary.
>     >>
>     >> of course, BIND will resolve other domains (recurse) only when
>     you allow it
>     >> to recurse.
>     >>
>     >> >So I let desktops resolve all the Internet domains or neither,
>     and this is
>     >> >not what I want because I just want to let them resolve just
>     >> teamviewer.com <http://teamviewer.com>.
>     >> >
>     >> >How can I do to forward only teamviewer.com
>     <http://teamviewer.com> zone queries to my
>     >> resolvers???
>     >>
>
>     --
>     Matus UHLAR - fantomas, [hidden email]
>     <mailto:[hidden email]> ; http://www.fantomas.sk/
>     Warning: I wish NOT to receive e-mail advertising to this address.
>     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>     Eagles may soar, but weasels don't get sucked into jet engines.
>     _______________________________________________
>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
>
>     bind-users mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.isc.org/mailman/listinfo/bind-users
>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Bind-Users forum mailing list
In reply to this post by Roberto Carna
Hello.

Am Donnerstag, den 07.02.2019, 10:32 -0300 schrieb Roberto Carna:
> Dear, I have Bind 9.10.3 as our private DNS service with two views,
> one of them let some clients to query linux.org domain from Internet
> forwarding the query to our Bind resolvers, but the query is refused
> by our private Bind.

What about setting up a (transparent) Proxy and forcing all Clients to
use it for Web-Traffic?

This wouzld solve the problem much easier.

Regards,
Dirk

--
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Kevin Darcy
In reply to this post by Roberto Carna
Define root zone. 

Delegate teamviewer.com from root zone.

Define teamviewer.com as "type forward".

"recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instance. Since you want to forward -- selectively -- you need "recursion yes". Nothing outside of that part of the namespace will be forwarded, since named considers everything else to be contained in the root zone.

                                                                                - Kevin

On Mon, Feb 11, 2019 at 9:06 AM Roberto Carna <[hidden email]> wrote:
Matus, I've followed whatyou say:

view "internet" {
   match-clients { internet_clients; key "pnet"; };

recursion yes;

        type forward;
        forward only;
        forwarders {
                8.8.8.8;
        };
};

};

but clients can resolve ANY public Internet domain, in addition to teamviewer.com....I think "recursion yes" apply to every public domain and not just for "teamviewer.com", but I don't know why.

Please can yoy give me more details, using forward or not, how can let some clients resolve just teamviewer.com ??? I confirm that my BIND is an authorittaive name server for internal domains.

Thanks a lot again.

El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<[hidden email]>) escribió:
On 11.02.19 10:38, Roberto Carna wrote:
>Dear Mathus, thanks al lot for your help.
>
>>> what is the point of running DNS server with only two hostnames allowed
>>> to resolve?
>
>The point is I have several desktops that must have access only to internal
>domains. The unique exception is they have access to teamviewer.com  in
>order to download the Teamviewer client and a pair of operations in this
>public domain.

if you disable recursion, any client using that server will only have access
to the domains that are configured on that server internally.

That also means they won't be allowed to contact any internal domains,
unless you configure those internal domains on that server.
Also no windows updates, nothing.

>I think if I have setup "recursion = no", if I define a forward zone with
>"type forward" and the corresponding forwarder, this option enable the
>recursion just for this defined zone.

No. Forward zone means recursion. "recursion no" is designed for
authoritative servers, not servers like there.

>In general, my question is how to forward a public domain to a DNS resolver
>like 8.8.8.8 ???

configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
do resolution well without forwarding. Also, this seems to be just the
opposite wht you describe above.

>El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<[hidden email]>)
>escribió:
>
>> On 07.02.19 16:30, Roberto Carna wrote:
>> >Desktops I mentioned can only access to web apps from internal domains,
>> but
>> >in some web apps there are links to download Teamviewer client software
>> >from Internet. I can create a private zone "teamviewer.com" with all the
>> >hostnames and IP's we will use, but if they change I will be in trouble.
>> >
>> >So we need to forward the query to our resolvers in order to get a valid
>> >response.
>> >
>> >So I think we can use the forward option from BIND, but it doesn't work at
>> >all as I described:
>> >
>> >1. "recursion no" can only be set at the top (view) level, not overridden
>> >   at the zone level.
>> >
>> >2. If I set "recursion no" at the view level, then a "type forward"
>> >   zone has no effect:
>> >
>> >  view "foo" {
>> >    recursion no;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com fails and tell it's not a recursive query
>>
>> the whole point of "recursion no" is not to answer recursive queries,
>> so there should be no wonder it works that way.
>>
>>
>> >3. If I define "recursion yes" at view level:
>> >
>> >  view "foo" {
>> >    recursion yes;
>> >    ...
>> >    zone "teamviewer.com" {
>> >      type forward;
>> >      forward only;
>> >      forwarders {172.18.1.1; 172.18.1.2;};
>> >    };
>> >
>> >-- query for foo.teamviewer.com is OK, but also I get response OK from
>> >foo.ibm.com, foo.google.com, and any other public domain from Internet
>> >(and this is not what I want, it's what I'm trying to prevent))
>> >
>> >So can you help me please???
>>
>> you still have not answered my question:
>>
>> >> what is the point of running DNS server with only two hostnames allowed
>> to
>> >> resolve?
>>
>> However, you can define empty type master "." zone, and bind will return
>> NXDOMAIN for anything other.
>>
>>
>> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
>> [hidden email]>)
>> >escribió:
>> >
>> >> On 07.02.19 14:58, Roberto Carna wrote:
>> >> >In our company we have several desktops from two different cities
>> >> accessing
>> >> >only to internal domains distributed in two views in a private BIND
>> with
>> >> >authoritative zones, where I've defined "recursion no;".
>> >> >
>> >> >But now we have to let them access to *.teamviewer.com hostnames, just
>> >> this
>> >> >public domain and not other.
>> >>
>> >> btw, when did linux.org change to teamviewer.com?
>> >>
>> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
>> BIND
>> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
>> created a
>> >> >third view with this information in named.conf.local:
>> >> >
>> >> >acl internet { 10.0.0.0/24 };
>> >> >
>> >> >view "internet" {
>> >> >
>> >> >   match-clients { internet; key "custom"; };
>> >> >
>> >> > recursion yes;
>> >> >
>> >> > zone "teamviewer.com" {
>> >> >
>> >> >        type forward;
>> >> >
>> >> >        forward only;
>> >> >
>> >> >        forwarders {
>> >> >
>> >> >                172.18.1.1;
>> >> >
>> >> >                172.18.1.2;
>> >> >
>> >> >        };
>> >> >
>> >> >};
>> >>
>> >>
>> >> >I defined "recursion yes" but the BIND servers forwards all the public
>> >> >domains queries to our resolvers and not just for "teamviewer.com",
>> so it
>> >> >doesn't work. And if I change for "recursion no", the query
>> >> >www.teamviewer.com is refused and at the client side appears an error
>> >> >telling that recursion is necessary.
>> >>
>> >> of course, BIND will resolve other domains (recurse) only when you
>> allow it
>> >> to recurse.
>> >>
>> >> >So I let desktops resolve all the Internet domains or neither, and
>> this is
>> >> >not what I want because I just want to let them resolve just
>> >> teamviewer.com.
>> >> >
>> >> >How can I do to forward only teamviewer.com zone queries to my
>> >> resolvers???
>> >>
>>
>> --
>> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Eagles may soar, but weasels don't get sucked into jet engines.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>

>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/bind-users


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forward zone inside a view

Bind-Users forum mailing list
In reply to this post by Paul Kosinski-2
On 02/07/2019 07:02 PM, Paul Kosinski wrote:
> I haven't analyzed the details and pitfalls, but could a Web proxy
> mechanism of some sort be of help? In particular, rather than having
> your users directly access "teamviewer.org" (or whatever), have them to
> access "teamviewer.local", which is resolved by your internal DNS to a
> specialized proxy server.

It sounds like you might be talking about using a reverse proxy of sorts
to translate internal requests for teamviewer.local to external requests
for teamviewer.com.

> Then set up this proxy server to forward those requests to
> "teamviewer.org", *not* its IP address (since that can, of course,
> change). This is likely the hard part, but the proxy can at least assume
> that it never gets HTTP(S) requests in general.

The internal (reverse) proxy can accept HTTPS protected requests for a
domain that it has the certificate for, i.e. teamviewer.local, or
possibly teamviewer.corpdomain.tld.  (The latter would allow for TLS
certificates from 3rd parties like Let's Encrypt.)

> In other words, move the mapping one level up in the protocol stack,
> from the DNS layer to the HTTP(S) layer.

The other advantage that this has is that recursion could remain
disabled on the internal DNS servers.  All that would need to be done is
to make the internal DNS server authoritative for teamviewer.local (et
al) domain.

> And, if the proxy can support the equivalent of name-based hosting, then
> it could support multiple local domain redirects, if needed in the future.

I've done this a number of times with Apache.

> P.S. PRIVOXY is probably able at least to do the redirect for a single
> domain -- and it's lightweight.

I think Squid can do it.  I expect that other sufficiently capable proxy
or web server can do it too.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
12