bind9 proper recursion setup
20,342
Filter who is able to query DNS recursively and who is not with ACLs.
acl my_net {
192.168.1.0/24;
};
acl my_other_net {
10.0.0.0/8;
};
options {
[ ... ]
recursion yes;
allow-recursion { my_net; };
blackhole { my_other_net; };
};
Also, set up ingress(BCP 84)/egress filtering in your gateway to avoid spoofed UDP packets to reach your network and generate unexpected traffic or poisoning. Blackhole untrusted parts of your local infrastructure.
Author by
Tsukasa
Updated on September 18, 2022Comments
-
Tsukasa almost 2 years
If I remove recursion then I can't resolve external domains but can still resolve domains that are on the DNS server.
What is the proper way to setup recursion correctly so external domains can still be resolved without leaving the DNS server open?
named.conf.options
options { version "One does not simply get my version"; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation yes; auth-nxdomain no; listen-on-v6 { any; }; allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; notify yes; dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; also-notify { }; };I have also added in internal subnets to allow-recursion { subnet/xx; }; but still unable to resolve external domains.
-
Zoredache over 9 years
What is the proper way to setup recursion correctly so external domains can still be resolved without leaving the DNS server open?- The extremely paranoid high-security recommended solution is. Don't do that. Don't use your authoritative servers for client resolution if you can avoid it. ACLs will limit the risk, if you do choose to use the same server for both, but there is still the remote chance some internal attacker might be motivated to try to corrupt your DNS.
-
-
Andrew B over 9 yearsThe order of those two need to be reversed, big time. That said, I agree with Zoredache.
-
Xavier Lucas over 9 years@AndrewB Which order are you talking about ? -
Andrew B over 9 yearsThe networking challenges have to be solved before the ACL will be meaningful.
-
Xavier Lucas over 9 years@AndrewB Oh yeah, sure. Didn't say there was an order, just that he had to do both :)
