Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

named view security question

Posted on 2006-06-05
6
Medium Priority
?
553 Views
Last Modified: 2008-02-07
hello.  I am running bind 9.3.2 and i'm having an issue with other hosts on the internet being able to do resursive queries via my bind server.  here is my trusted ACL:
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries.  This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
12.44.xxx.xxx/26;
12.154.xxx.xxx/26;
12.154.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/29;
12.44.xxx.xxx/29;
12.44.xxx.xxx/30;
};
#################################################
here is the options section:
options {
        pid-file "/var/run/named/named.pid";
        directory "/var/named";
        allow-transfer {
                12.44.xxx.xxx;
                };

  allow-query {
        // Accept queries from our "trusted" ACL.  We will
        // allow anyone to query our master zones below.
        // This prevents us from becoming a free DNS server
        // to the masses.
       trusted;
    };
    blackhole {
        // Deny anything from the bogon networks as
        // detailed in the "bogon" ACL.
        bogon;
    };
     
};
##############################################
here is the external view:

view "external-in" in {
    match-clients { any; };
    recursion no;
    additional-from-auth no;
    additional-from-cache no;

zone "." in {
    type hint;
    file "root.hints";
};
zone "abc.com" in {  
        type master;
        file "midwaypharmacy.com";
        allow-transfer {
                12.44.xxx.xxx;
                };
    allow-query {
        any;
    };
};
};
##############################################

the problem is that even with that config, hosts outside of my network can do recursive queries for ip's on the internet other than my own domains i'm serving.  for example here is a log that shows it:

05-Jun-2006 11:08:54.070 client 12.169.242.140#1901: view external-in: query: www.paypal.com IN A +

plus i've gotten on a cable connection and put my host as primary dns server and could surf the web just fine.
anyone help me out with this or tell me what could be causing it?
thanks!
0
Comment
Question by:linuxrox
  • 3
  • 2
6 Comments
 
LVL 24

Expert Comment

by:slyong
ID: 16840442
Hi,

You can use iptables / firewalls to disable external machines from queries your DNS.  The basic DNS query rules is like this:

iptables -A INPUT -p udp -s <IPs allowed>/<mask> -d <IP of DNS>/<mask> --destination-port 53 -j ACCEPT

0
 

Author Comment

by:linuxrox
ID: 16841990
Slyong, no that won't work at all.  this is a public dns server so doing that would keep people from viewing the sites i host.  I already use IPTables as my firewall and port 53 must be open to everyone because this DNS server provides MX records and A records for many domains.
0
 
LVL 24

Expert Comment

by:slyong
ID: 16842163
Hi,

If you are running a public DNS primary server, you will have no choice but to let others query your DNS.  If you are secondary, you can allow only primary server to query your DNS.

If you are running primary, I don't think I know of a solution.

Regards,
slyong
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:linuxrox
ID: 16842201
Yes slyong, they need to be able to query my server BUT....ip addresses OTHER THAN my local ip addresses should NOT be able to query ip addresses for other servers on the internet..  Bind (named) will do this.
Bind allows you to setup different views so that only local ip's can do recursive queries while other hosts on the internet can only query your server for your local domains you host.   that is what my question is about.
0
 
LVL 3

Accepted Solution

by:
Ustas earned 2000 total points
ID: 16848245
I think you are over-complicating the config.

What do you think of this:

  allow-query {
        // Accept queries from our "trusted" ACL.  We will
        // allow anyone to query our master zones below.
        // This prevents us from becoming a free DNS server
        // to the masses.
       trusted;
    };
 
 allow-recursion {
    trusted;
 };

0
 

Author Comment

by:linuxrox
ID: 16852344
Yes Ustas, i was overcomplicating it!!  I found a solution that works but your suggestion also works too!
thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question