Problem with zone delegation with private gTLD

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with zone delegation with private gTLD

Bind-Users forum mailing list
Hello,
I am trying to set up a private gTLD with BIND9 and underneath that gTLD
a subdomain. The subdomain runs on another BIND9 server.

The problem I'am facing is that the BIND9 server of the gTLD gives a
NXDOMAIN
for the ns record of the subdomain. If have no clue what is wrong.

Can somebody point me out what is wrong in my configuration.

named.conf snippet
    view "phishing" {
        match-clients { phishing_net; };
        recursion yes;

        zone "lab" {
                type master;
                file "/etc/bind/gTLD/lab";
        };
    };

gTLD lab zone:
    $TTL 60 ; TTL 60 seconds
    $ORIGIN lab.
    @   IN  SOA vdns01.lab. hostmaster.vdns01.mgmt.lab. (
            2019040801
            10800
            3600
            604800
            38400 )

        IN  NS  vdns01.lab.
        IN  MX  mail.lab.
   
    vdns01          IN  A   192.168.111.200
    mail            IN  A   192.168.10.103
   
    $ORIGIN acme.lab.
    @               IN  NS  ns1.acme.lab.
                    IN  NS  vdns01.lab.
    ns1.acme.lab.   IN  A   192.168.10.42



Greetz,
Karl



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Tony Finch
Karl Lovink via bind-users <[hidden email]> wrote:

> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
> a subdomain.

Why a TLD?

You will have fewer problems if you get a properly registered domain and
set up a subdomain of that for private use.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Selsey Bill to Lyme Regis: Variable 3 or less, becoming northeast 4 later.
Smooth, becoming slight, occasionally moderate later offshore. Occasional
rain. Good, occasionally moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Matus UHLAR - fantomas
>Karl Lovink via bind-users <[hidden email]> wrote:
>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
>> a subdomain.

On 08.04.19 12:00, Tony Finch wrote:
>Why a TLD?
>
>You will have fewer problems if you get a properly registered domain and
>set up a subdomain of that for private use.

many users/organizations use private TLDsm, just like they often use private
IP ranges instead of public.

I believe there should be reserved gTLD for such usage.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Petr Mensik


On 4/8/19 1:05 PM, Matus UHLAR - fantomas wrote:

>> Karl Lovink via bind-users <[hidden email]> wrote:
>>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
>>> a subdomain.
>
> On 08.04.19 12:00, Tony Finch wrote:
>> Why a TLD?
>>
>> You will have fewer problems if you get a properly registered domain and
>> set up a subdomain of that for private use.
>
> many users/organizations use private TLDsm, just like they often use
> private
> IP ranges instead of public.
>
> I believe there should be reserved gTLD for such usage.
>
I believe there is test domain reserved for similar usage. Or home.arpa
domain.

Organizations should use their own (sub)domain, especially if they use
DNSSEC. Individuals usually lack domain they can control. Organization
often lack good practices to limit some subdomain for private usage.
Complicated setup of secure delegation on some DNS providers might be
responsible.

I think dns search suffix might help with longer domains usage. But it
is also considered insecure.

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]  PGP: 65C6C973
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Bind-Users forum mailing list
In reply to this post by Matus UHLAR - fantomas
I cannot use a registered domain name because I’am building a phishing demo environment and I do not want to use an internet connection.

Met vriendelijke groet,
Karl

On 8 Apr 2019, at 13:06, Matus UHLAR - fantomas <[hidden email]> wrote:

>> Karl Lovink via bind-users <[hidden email]> wrote:
>>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
>>> a subdomain.
>
> On 08.04.19 12:00, Tony Finch wrote:
>> Why a TLD?
>>
>> You will have fewer problems if you get a properly registered domain and
>> set up a subdomain of that for private use.
>
> many users/organizations use private TLDsm, just like they often use private
> IP ranges instead of public.
>
> I believe there should be reserved gTLD for such usage.
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I wonder how much deeper the ocean would be without sponges. _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Tony Finch
Karl Lovink via bind-users <[hidden email]> wrote:

> I cannot use a registered domain name because I’am building a phishing
> demo environment and I do not want to use an internet connection.

It's not particularly easy to get a resolver to work without an Internet
connection. You'll need to set up your own root zone, and configure your
resolver with root hints pointing at your root server(s). I don't know if
there's a handy how-to out there for this kind of testbed...

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Sole: Cyclonic 5 or 6, becoming east 4 or 5. Rough, occasionally moderate at
first in east. Thundery showers. Good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Xavier Humbert
In reply to this post by Matus UHLAR - fantomas
On 08/04/2019 13:05, Matus UHLAR - fantomas wrote:
> I believe there should be reserved gTLD for such usage.

Is this not what the TLD /.invalid/ is supposed to be ?

Xavier

--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Petr Mensik
In reply to this post by Bind-Users forum mailing list


On 4/8/19 3:42 PM, Karl Lovink via bind-users wrote:
> I cannot use a registered domain name because I’am building a phishing demo environment and I do not want to use an internet connection.

How exactly is this different from using private TLD domain? In any way,
you have to provide authoritative server for that zone. You can copy
original root zone or create your own root. In any case you have to host
your domain. In private DNS space, chance to get collision is almost
non-existent, you can choose anything you want. example domains might be
useful enough.

You need NS and A records in root zone, and authoritative host on your
zone. Some example can be found in BIND bin/tests/system/resolver [1].

>
> Met vriendelijke groet,
> Karl
>
> On 8 Apr 2019, at 13:06, Matus UHLAR - fantomas <[hidden email]> wrote:
>
>>> Karl Lovink via bind-users <[hidden email]> wrote:
>>>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD
>>>> a subdomain.
>>

1.
https://gitlab.isc.org/isc-projects/bind9/tree/master/bin/tests/system/resolver

Regards,
Petr

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]  PGP: 65C6C973
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Kevin Darcy
In reply to this post by Bind-Users forum mailing list
If you're doing stuff at really small scale, you can just define your own root zone and put all of the records into it, including records in the "phishing" subdomain, and any reverse records you care about (in the "in-addr.arpa" and/or "ip6.arpa" subdomains). For that matter, if you only have 1 BIND instance, you don't need to worry about recursion or master/slave replication. BIND might complain if you only have 1 NS record associated with a given zone name (since the standard says a minimum of 2), but you could just make up a fictitious nameserver with a fictitious address, and BIND will quickly figure out that it doesn't exist and stop trying to use it.

                                                                                                         - Kevin

On Mon, Apr 8, 2019 at 5:51 AM Karl Lovink via bind-users <[hidden email]> wrote:
Hello,
I am trying to set up a private gTLD with BIND9 and underneath that gTLD
a subdomain. The subdomain runs on another BIND9 server.

The problem I'am facing is that the BIND9 server of the gTLD gives a
NXDOMAIN
for the ns record of the subdomain. If have no clue what is wrong.

Can somebody point me out what is wrong in my configuration.

named.conf snippet
    view "phishing" {
        match-clients { phishing_net; };
        recursion yes;

        zone "lab" {
                type master;
                file "/etc/bind/gTLD/lab";
        };
    };

gTLD lab zone:
    $TTL 60 ; TTL 60 seconds
    $ORIGIN lab.
    @   IN  SOA vdns01.lab. hostmaster.vdns01.mgmt.lab. (
            2019040801
            10800
            3600
            604800
            38400 )

        IN  NS  vdns01.lab.
        IN  MX  mail.lab.
   
    vdns01          IN  A   192.168.111.200
    mail            IN  A   192.168.10.103
   
    $ORIGIN acme.lab.
    @               IN  NS  ns1.acme.lab.
                    IN  NS  vdns01.lab.
    ns1.acme.lab.   IN  A   192.168.10.42



Greetz,
Karl


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Matthew Pounsett
In reply to this post by Xavier Humbert
On Mon, 8 Apr 2019 at 10:35, Xavier Humbert
<[hidden email]> wrote:
>
> On 08/04/2019 13:05, Matus UHLAR - fantomas wrote:
> > I believe there should be reserved gTLD for such usage.
>
> Is this not what the TLD /.invalid/ is supposed to be ?

RFC2606 reserves test, example, invalid, and localhost, for "testing
and documentation," which seems to fit this use-case.  'invalid'
doesn't seem to me to be intended for use as a generic private TLD
though, as was suggested up-thread.  However, if the OP is setting up
a private network, with no Internet connection, for a demonstration,
then any TLD at all could be used; a private root will be required
regardless.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Matus UHLAR - fantomas
>> On 08/04/2019 13:05, Matus UHLAR - fantomas wrote:
>> > I believe there should be reserved gTLD for such usage.

>On Mon, 8 Apr 2019 at 10:35, Xavier Humbert
><[hidden email]> wrote:
>> Is this not what the TLD /.invalid/ is supposed to be ?

On 08.04.19 13:18, Matthew Pounsett wrote:
>RFC2606 reserves test, example, invalid, and localhost, for "testing
>and documentation," which seems to fit this use-case.  'invalid'
>doesn't seem to me to be intended for use as a generic private TLD
>though, as was suggested up-thread.  However, if the OP is setting up
>a private network, with no Internet connection, for a demonstration,
>then any TLD at all could be used; a private root will be required
>regardless.

for temporary testing, .test may be suitable.  .local is reserved for mDNS
(I've had to disable mdns, because someone uses .local in company network),
home.arpa for HNCP (won't the above happen here too?)

I don't find any of existing domains suitable for more permanent usage.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Matthew Pounsett
On Mon, 8 Apr 2019 at 14:33, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> I don't find any of existing domains suitable for more permanent usage.

Yes, and I believe that's the desirable situation.  More permanent
uses (such as the (mis)use of .local you mentioned) should make use of
registered domains to ensure uniqueness.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Tony Finch
In reply to this post by Matthew Pounsett
Matthew Pounsett <[hidden email]> wrote:
>
> RFC2606 reserves test, example, invalid, and localhost, for "testing
> and documentation,"

However you must either disable validation or set up your own root zone to
use them. [ RFC 6761 has more details than RCF 2606 about how to use these
names. ]

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Shannon, Rockall: East or southeast 3 or 4, occasionally 5 in Rockall and
later also in Shannon. Moderate, occasionally rough at first and later in far
west Shannon. Showers. Good, occasionally moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with zone delegation with private gTLD

Matthew Pounsett
On Tue, 9 Apr 2019 at 06:32, Tony Finch <[hidden email]> wrote:
>
> Matthew Pounsett <[hidden email]> wrote:
> >
> > RFC2606 reserves test, example, invalid, and localhost, for "testing
> > and documentation,"
>
> However you must either disable validation or set up your own root zone to
> use them. [ RFC 6761 has more details than RCF 2606 about how to use these
> names. ]

Yes, that's right.  The reason I referenced 2606 is that the subject
under discussion was the reason for the reservation, and 6761 defers
to 2606 for that.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

When to use the "invalid" TLD

Chris Thompson
In reply to this post by Matthew Pounsett
On Apr 8 2019, Matthew Pounsett wrote, in another thread:

>RFC2606 reserves test, example, invalid, and localhost, for "testing
>and documentation," which seems to fit this use-case.  'invalid'
>doesn't seem to me to be intended for use as a generic private TLD
>though, as was suggested up-thread.

This reminded me of one use I did make of "invalid". The IPv4 addresses
192.153.213.[249-251] were reserved for a web probing service for which
it was desired to make them appear not to be on the university network
(although they were) to see whether the web sites responded differently
in that case. Partly this was done by using an unusual /24, but also by
supressing DNS entries for them.

Originally this was done by tagging them in the database with a "visibility"
option that supressed inclusion of both forward and reverse entries in
the DNS. I was quite keen to get rid of this option, which messed up the
database semantics in other ways, and they were the only remaining cases
of its use.

So instead I attached them to a database object with a name under "invalid".
Reverse lookup on the IPv4 addresses then gave that name (indeed, it still
does). That still made them appear to be "not in cam.ac.uk", and forward
lookup on the name would be guaranteed to give NXDOMAIN. Well, unless
we ever generated a forward zone for "invalid" from the database, which
obviously was not going to happen...

I still think this was a reasonable use of "invalid", and consistent with
the remarks in section 6.4 of RFC 6761 (also dating from 2013, incidentally).

--
Chris Thompson
Email: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users