named view security question
hello. I am running bind 9.3.2 and i'm having an issue with other hosts on the internet being able to do resursive queries via my bind server. here is my trusted ACL:
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
12.44.xxx.xxx/26;
12.154.xxx.xxx/26;
12.154.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/29;
12.44.xxx.xxx/29;
12.44.xxx.xxx/30;
};
##########################
here is the options section:
options {
pid-file "/var/run/named/named.pid"
directory "/var/named";
allow-transfer {
12.44.xxx.xxx;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
##########################
here is the external view:
view "external-in" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "root.hints";
};
zone "abc.com" in {
type master;
file "midwaypharmacy.com";
allow-transfer {
12.44.xxx.xxx;
};
allow-query {
any;
};
};
};
##########################
the problem is that even with that config, hosts outside of my network can do recursive queries for ip's on the internet other than my own domains i'm serving. for example here is a log that shows it:
05-Jun-2006 11:08:54.070 client 12.169.242.140#1901: view external-in: query: www.paypal.com IN A +
plus i've gotten on a cable connection and put my host as primary dns server and could surf the web just fine.
anyone help me out with this or tell me what could be causing it?
thanks!
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
12.44.xxx.xxx/26;
12.154.xxx.xxx/26;
12.154.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/26;
12.44.xxx.xxx/29;
12.44.xxx.xxx/29;
12.44.xxx.xxx/30;
};
##########################
here is the options section:
options {
pid-file "/var/run/named/named.pid"
directory "/var/named";
allow-transfer {
12.44.xxx.xxx;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
##########################
here is the external view:
view "external-in" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "root.hints";
};
zone "abc.com" in {
type master;
file "midwaypharmacy.com";
allow-transfer {
12.44.xxx.xxx;
};
allow-query {
any;
};
};
};
##########################
the problem is that even with that config, hosts outside of my network can do recursive queries for ip's on the internet other than my own domains i'm serving. for example here is a log that shows it:
05-Jun-2006 11:08:54.070 client 12.169.242.140#1901: view external-in: query: www.paypal.com IN A +
plus i've gotten on a cable connection and put my host as primary dns server and could surf the web just fine.
anyone help me out with this or tell me what could be causing it?
thanks!
ASKER
Slyong, no that won't work at all. this is a public dns server so doing that would keep people from viewing the sites i host. I already use IPTables as my firewall and port 53 must be open to everyone because this DNS server provides MX records and A records for many domains.
Hi,
If you are running a public DNS primary server, you will have no choice but to let others query your DNS. If you are secondary, you can allow only primary server to query your DNS.
If you are running primary, I don't think I know of a solution.
Regards,
slyong
If you are running a public DNS primary server, you will have no choice but to let others query your DNS. If you are secondary, you can allow only primary server to query your DNS.
If you are running primary, I don't think I know of a solution.
Regards,
slyong
ASKER
Yes slyong, they need to be able to query my server BUT....ip addresses OTHER THAN my local ip addresses should NOT be able to query ip addresses for other servers on the internet.. Bind (named) will do this.
Bind allows you to setup different views so that only local ip's can do recursive queries while other hosts on the internet can only query your server for your local domains you host. that is what my question is about.
Bind allows you to setup different views so that only local ip's can do recursive queries while other hosts on the internet can only query your server for your local domains you host. that is what my question is about.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes Ustas, i was overcomplicating it!! I found a solution that works but your suggestion also works too!
thanks!
thanks!
You can use iptables / firewalls to disable external machines from queries your DNS. The basic DNS query rules is like this:
iptables -A INPUT -p udp -s <IPs allowed>/<mask> -d <IP of DNS>/<mask> --destination-port 53 -j ACCEPT