Restrict DNS to Respond Only for Our Domains

Expand Post »

Hi,

I would like to look at restricting our external DNS servers to only respond for the domains that we own. Firstly, I would like to ask if this is the convention, or does everybody set their DNS to answer all queries for everyone?

Assuming not, we will still want our externals to do recursive lookups for our internal traffic so we will need an ACL to identify internal networks and allow recursion.

Would I also need a 'zone "." recursion no' stanza, so that all other traffic will be denied or would the ACL be enough?

Looking at my named.conf, it looks like it has been set up like this in the past, but this has been commented out.

named.conf: (truncated)

(Toggle Plain Text)

acl dns_servers { internal_dns_ip; internal_dns_ip; };

options {
  directory "/var/named" ;
  allow-query { any; };
#  allow-query { dns_servers; 127.0.0.1; };
#  allow-recursion { dns_servers; 127.0.0.1; };
  allow-recursion { any; };
  allow-transfer { none; };
  allow-notify {master_dns_ip; };
  listen-on-v6 { none; };
  recursive-clients 3500;
  version none;
  zone-statistics yes;
  notify no;
  auth-nxdomain no;
  };

view external {
  match-clients { any; };

  zone "orgname.com" {
    type slave;
    file "/var/named/slave/external/orgname.com";
    masters { master_dns_ip; };
  allow-notify { master_dns_ip; };
    allow-query { any; };
  };

  ... more zones ...
};

Similar Threads

Optimum Online Web Hosting. in Networking

unixanalyst

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Oct 7th, 2009

Re: Restrict DNS to Respond Only for Our Domains

>>I would like to look at restricting our external DNS servers to only respond for the domains that we own. Firstly, I would like to ask if this is the convention, or does everybody set their DNS to answer all queries for everyone?

Typically you allow all queries for domain you are the authority over and block all other external traffic. If this server is located inside a LAN it is common to allow internal traffic to do recursive lookups on any domain.

A domain I own (or used to, it lapsed and someone bought it

). I allow transfer and set also-notify for my other nameservers

text Syntax (Toggle Plain Text)

zone "wombatcs.com" {
        type master;
        file "/etc/bind/zones/wombatcs.com";
        allow-transfer { 72.16.x.x; 72.x.17x.x; localhost; 20x.x.2x8.x; };
        allow-query { any; };
        also-notify { 72.16.x.x; x.42.x.219; };
};

For my options configuration to deny queries:

text Syntax (Toggle Plain Text)

options {
        directory "/var/cache/bind";
        version "NO INFORMATION";
 
        allow-query { 10.2.1.0/24; localhost; 64.25.1.0/24; 64.x.131.0/24; x.16.141.0/24; x.x.20.228; 72.x.178.0/24; x.196.x.0/24; };
        allow-recursion { 10.2.1.0/24; localhost; 64.x.1.0/24; 64.x.131.0/24; x.16.141.0/24; x.x.20.228; 72.x.178.0/24; x.196.35.0/24; };
        allow-transfer { none; };
        zone-statistics no;
        statistics-file "/var/cache/bind/stats";
        auth-nxdomain no;    # conform to RFC1035
 
};

You can see I also set a version in my options. I do this to hide the version of BIND because in the past there have been numerous bind exploits that would allow a remote user to become root. You can test this:

(Toggle Plain Text)

sk@sk:/tmp$ dig @localhost version.bind chaos txt

; <<>> DiG 9.4.0 <<>> @localhost version.bind chaos txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62932
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "NO INFORMATION"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct  7 06:44:29 2009
;; MSG SIZE  rcvd: 71

sknake

Featured Poster

Reputation Points: 1749

Solved Threads: 735

Senior Poster

Offline

3,948 posts
since Feb 2009

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Networking Forum Timeline: dale.granite@google.com

Next Thread in Networking Forum Timeline: The Book - Network security essentials

DaniWeb Message

Cancel Changes

User Name
Password