CNAMEs pointing to outside domains
Vincent Aniello
DNS server with the allow-query and allow-recursion options in named.conf.
When I restrict these options to a list of trusted networks, from a host
outside the list of trusted networks I am unable to lookup CNAMEs that refer
to hosts that are part of domains not local to my DNS server.
For example, for the record:
www.localdomain.com IN CNAME www.outsidedomain.com.
Lookups on www.localdomain.com fail with a 'Query denied' error when queried
via nslookup from a host outside of the list of trusted networks for my DNS
server.
When I set allow-query to 'any' and restrict recursion to a list of trusted
networks with the allow-recursion option a nslookup of www.localdomain.com
from a host outside the list of trusted networks returns the list of root
DNS servers.
Is it possible to configure Bind 9.2.1 to allow queries CNAMEs that refer to
non-local domains and still restrict queries and recursive queries for other
domains and records?
--Vincent
Kevin Darcy
Vincent Aniello wrote:
I'm not aware of any such configuration option.
But, why is it necessary? Your nameserver has done the job of translating the
alias into a canonical name; any fully-functional resolver should then be able
to translate that canonical name into an A record or whatever. Somewhat
inefficient, yes, but it should still work. Isn't it?
- Kevin
Mark_A...@isc.org
> I am running Bind 9.2.1 and attempting to limit the hosts that can query my
> DNS server with the allow-query and allow-recursion options in named.conf.
> When I restrict these options to a list of trusted networks, from a host
> outside the list of trusted networks I am unable to lookup CNAMEs that refer
> to hosts that are part of domains not local to my DNS server.
>
> For example, for the record:
>
> www.localdomain.com IN CNAME www.outsidedomain.com.
>
> Lookups on www.localdomain.com fail with a 'Query denied' error when queried
> via nslookup from a host outside of the list of trusted networks for my DNS
> server.
>
> When I set allow-query to 'any' and restrict recursion to a list of trusted
> networks with the allow-recursion option a nslookup of www.localdomain.com
> from a host outside the list of trusted networks returns the list of root
> DNS servers.
>
> Is it possible to configure Bind 9.2.1 to allow queries CNAMEs that refer to
> non-local domains and still restrict queries and recursive queries for other
> domains and records?
>
I suggest that you test with a non-recursive query which is what
nameservers performing interative resolution do.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org
Vincent Aniello
"Kevin Darcy" <k...@daimlerchrysler.com> wrote in message
news:aem1ra$56i6$1...@isrv4.isc.org...
>
> Vincent Aniello wrote:
>
> > Is it possible to configure Bind 9.2.1 to allow queries CNAMEs that
refer to
> > non-local domains and still restrict queries and recursive queries for
other
> > domains and records?
>
> I'm not aware of any such configuration option.
>
> But, why is it necessary? Your nameserver has done the job of translating
the
> alias into a canonical name; any fully-functional resolver should then be
able
> to translate that canonical name into an A record or whatever. Somewhat
> inefficient, yes, but it should still work. Isn't it?
When I look up the CNAME record using 'nslookup' from a host outside my list
of trusted networks my DNS server returns a 'Query denied' error. Are
saying that despite this error another DNS server (not nslookup) should
still be able to lookup the CNAME correctly? If this is the case then I am
going to get complaints from users that try nslookups on the CNAME records
pointing to outside domains.
--Vincent
Simon Waters
Vincent Aniello wrote:
>
> If this is the case then I am
> going to get complaints from users that try nslookups on the CNAME records
> pointing to outside domains.
You shouldn't as your users are presumably on networks to which
you allow recursion?
DNS servers come in two types authoritative (answer queries) and
recursive (that ask them). Your users want a recursive server,
other recursive servers want only authoritative servers. BIND
can be both.
Ideally authoritative servers allow queries from everywhere, and
recursion from nowhere (you can't use them for arbitary queries
just what they know).
Recursive servers only allow queries and recursion from trusted
hosts.
So a server doing both allow queries from everywhere, but only
recursion from trusted hosts.
Vincent Aniello
"Simon Waters" <Si...@wretched.demon.co.uk> wrote in message
news:aenrqm$663r$1...@isrv4.isc.org...
>
> Vincent Aniello wrote:
> >
> > If this is the case then I am
> > going to get complaints from users that try nslookups on the CNAME
records
> > pointing to outside domains.
>
> You shouldn't as your users are presumably on networks to which
> you allow recursion?
By users I was also referring to customers performing nslookups from the
Internet. The customers networks are not in the list of trusted networks on
my DNS servers.
--Vincent
Kevin Darcy
Vincent Aniello wrote:
> "Simon Waters" <Si...@wretched.demon.co.uk> wrote in message
> news:aenrqm$663r$1...@isrv4.isc.org...
> >
> > Vincent Aniello wrote:
> > >
> > > If this is the case then I am
> > > going to get complaints from users that try nslookups on the CNAME
> records
> > > pointing to outside domains.
> >
> > You shouldn't as your users are presumably on networks to which
> > you allow recursion?
>
> By users I was also referring to customers performing nslookups from the
> Internet. The customers networks are not in the list of trusted networks on
> my DNS servers.
Disabling recursion is becoming more and more a standard practice, as awareness
increases of Denial-of-Service and cache poisoning attacks. Also, a lot of
organizations don't like folks freeloading off their nameservers. Given this,
none of your customers should be surprised if your nameserver declines to
recurse to fetch the target of a CNAME, when the query comes from outside of
your own network.
- Kevin