dns reverse non public

labrucebruno

New Member
Joined
Jul 22, 2020
Messages
4
Reaction score
0
Credits
40
Hi everyone,

I have a question about how secury my reverse bind/dns server.

Today I have the following scenario:
allow-transfer { clients; };
allow-query { any; };
allow-query-cache { any;};
allow-recursion { clients; };
And with that my dns is public right now. If I change allow-query to clients(thats my network) my dns became private but the reverse stop to work(only answer to my network reverse querys).
Is there a way to turn my dns to private and still answering reverse querys from any server?
Thanks everone
 


Hi everyone,

I have a question about how secury my reverse bind/dns server.

Today I have the following scenario:
allow-transfer { clients; };
allow-query { any; };
allow-query-cache { any;};
allow-recursion { clients; };
And with that my dns is public right now. If I change allow-query to clients(thats my network) my dns became private but the reverse stop to work(only answer to my network reverse querys).
Is there a way to turn my dns to private and still answering reverse querys from any server?
Thanks everone
Since it is a private dns server and not public you can try enabling recursion:
Code:
recursion yes;
Then restart bind.
 
Last edited:
Didnt work, am I doing the wrong test?

root@xxx# nslookup x.x.x.x (reverse ip) x.x.x.x (server ip)
** server can't find x.x.x.x.in-addr.arpa: REFUSED
it only works when I put allow-query { any; };
 
Try it like this, this is with recursion off:
(Replacing ns.lan.feedmebits.nl with your private dns server)
Code:
~]$ host 10.31.251.13 ns.lan.feedmebits.nl
Using domain server:
Name: ns.lan.feedmebits.nl
Address: 10.31.251.10#53
Aliases:

13.251.31.10.in-addr.arpa domain name pointer zombie.lan.feedmebits.nl.251.31.10.in-addr.arpa.
~]$ host 8.8.8.8 ns.lan.feedmebits.nl
Using domain server:
Name: ns.lan.feedmebits.nl
Address: 10.31.251.10#53
Aliases:

Host 8.8.8.8.in-addr.arpa not found: 5(REFUSED)

This is with recursion on:
Code:
~]$ host 10.31.251.13 ns.lan.feedmebits.nl
Using domain server:
Name: ns.lan.feedmebits.nl
Address: 10.31.251.10#53
Aliases:

13.251.31.10.in-addr.arpa domain name pointer zombie.lan.feedmebits.nl.251.31.10.in-addr.arpa.

~]$ host 8.8.8.8 ns.lan.feedmebits.nl
Using domain server:
Name: ns.lan.feedmebits.nl
Address: 10.31.251.10#53
Aliases:

8.8.8.8.in-addr.arpa domain name pointer dns.google.
 
Last edited:
Hi my friend.
Still the same.
Inside de network I am able to do that, but outside the network the response is REFUSED.
My doubt is if the others mail servers will be able to do recursive ptr to the mail servers inside my network.
 
allow-recursion { clients; };
And with that my dns is public right now. If I change allow-query to clients(thats my network) my dns became

Hi my friend.
Still the same.
Inside de network I am able to do that, but outside the network the response is REFUSED.
My doubt is if the others mail servers will be able to do recursive ptr to the mail servers inside my network.
You mentioned earlier that it is setup as private dns server for your internal network. And that you have setup
Code:
allow-recursion { clients; };
clients being your internal network. So it's because of the restrictions you have put on there all other requests that are not coming from your internal network are being refused. From the bind configuration file comments:
Code:
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface
From what you said in your first post it sounded like the dns server was only going to be used by the servers in your private/internal network because you put a limit on it of who can access it and who cannot. Because like mentioned by the bind documentation it is advised to disable recursion on a dns server that is authoritative. On authorative nameservers where recursion is off domains are usually hosted which the outside world needs to query. For example if you have example.com hosted on your authoritative name server, only queries from the domain example.com can be looked up. If a system decided they wanted to look up what google.com is using your authoritative nameserver the request would be denied. Of course you can add multiple domains to your authoritative nameserver.

So if you want mailservers from the outside world and such to be able to do reverse lookups it would be best to also have a second dns server which is a authoritative nameserver which then has recursion off. The authoritative nameserver will only be hosting your domain(s) which other systems need to query in order to look up something(ie mx records). Basically the ideal situation to have is having a nameserver in your internal network not accessible from the outside world and an authoritative nameserver which is for example in a DMZ network and accessible for the outside world or limited by an access list(which is how you have it configured now). The internal nameserver being accessible to only to your internal network is safe to have recursion on because limited amount of systems have access to it. Then the systems in your internal network can do queries for the domains that are hosted as authoritative on your internal nameserver for your internal network and also do queries for other domains outside of your network (ie google.com) This way your internal systems can do all the lookups they need, and systems from outside of your network(the internet) can do lookups to all the domain and dns entries that need to be available for the outside world
 
Last edited:
Yes I understand.

But basically if I disable recursive my internal network its not ably to use my dns as a dns server.
If I enable recursive my internal network is able to resolve names with my dns but the rest of the world cannot check my reverse zones(PTR).
So, I have to allow query "any" instead of "clients" and everything works but what Im trying to do is protect my server from amplification attacks.
I wanna be able to be the dns server of my network and be able to check reverse zones that Im the authoritative from outside clients network. (like if I was the dns server of an ISP, I will be the dns server only for dozen of costumers)
I think the only way is to Implementing BCP38
Thanks for the help.
I think the thread can be closed now. Thanks to shed me some light .
appreciate the help and the whole explanation.
 

Staff online

Members online


Latest posts

Top