0

Our DNS infrastructure is split into several name servers, central (Bind) and auxiliary ones (like AD).

Disabling recursion effectively disables delegation and forwarding (in Bind at least).

What are the options?

  1. Become a slave for AD zones? Certainly we could setup zone transfers for which the central instance is not authoritative.

  2. Use another name server software than Bind? Essentially I'd want to specify some zones/domains for which it should be able to delegate/recurse. Like being able to specify "destination" ACLs and associated actions.

  3. Become the root zone. The issue with that would be that there are exceptions: some clients still require recursion, albeit for certain domains/zones only.

The goal - in case you wonder - is security. In case of an internal infection lots of C&C servers are accessed through DNS which is mostly unfiltered.

Marki
  • 2,854
  • 3
  • 28
  • 45
  • Do internal servers actually need to resolve external domains? Or can you get by with forcing internal servers to use an, authenticated, proxy server when they need internet access and simply only resolv internal domains for internal servers ? Because a proxy might be an easy place to maintain white lists for allowed uri’s and would be the only server needing external resolution – Bob Sep 14 '20 at 14:06
  • @HermanB As I wrote under point 3, yes some hosts do. Of course we could setup distinct sets/instances of name servers, recursive and non-recursive ones. But that's a far stretch for something that would seem like it should be easily configurable. – Marki Sep 14 '20 at 14:10
  • @HermanB Well we do use an explicit proxy which is why we wanted to remove recursion (to the outside at least) in the first place. However there are exceptions as usual. – Marki Sep 14 '20 at 14:11
  • @HermanB (The issue is not internet access.) The issue is to be able to still resolve everything internal which is spread across different platforms and for which some kind of recursion would still be needed. – Marki Sep 14 '20 at 14:13

0 Answers0