bind9 proper recursion setup

Question

If I remove recursion then I can't resolve external domains but can still resolve domains that are on the DNS server.

What is the proper way to setup recursion correctly so external domains can still be resolved without leaving the DNS server open?

named.conf.options

options {
    version "One does not simply get my version";

    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation yes;

    auth-nxdomain no;
    listen-on-v6 { any; };
    allow-recursion { any; };
    allow-query {
            any;
            };
    allow-query-cache { any; };
    notify yes;
    dnssec-enable yes;
    dnssec-lookaside . trust-anchor dlv.isc.org.;
    also-notify {
            };
};

I have also added in internal subnets to allow-recursion { subnet/xx; }; but still unable to resolve external domains.

`What is the proper way to setup recursion correctly so external domains can still be resolved without leaving the DNS server open?` - The extremely paranoid high-security recommended solution is. **Don't do that.** Don't use your authoritative servers for client resolution if you can avoid it. ACLs will limit the risk, if you do choose to use the same server for both, but there is still the remote chance some internal attacker might be motivated to try to corrupt your DNS. — Zoredache, Oct 08 '14 at 21:27

Xavier Lucas · Accepted Answer · 2014-10-08T22:13:40.957

8

Filter who is able to query DNS recursively and who is not with ACLs.

acl my_net { 
    192.168.1.0/24;
};

acl my_other_net {
    10.0.0.0/8;
};

options {

    [ ... ]


    recursion yes;

    allow-recursion { my_net; };
    blackhole { my_other_net; };

};

Also, set up ingress(BCP 84)/egress filtering in your gateway to avoid spoofed UDP packets to reach your network and generate unexpected traffic or poisoning. Blackhole untrusted parts of your local infrastructure.

edited Oct 08 '14 at 22:13

answered Oct 08 '14 at 21:22

Xavier Lucas

13,095
2
44
50

The order of those two need to be reversed, big time. That said, I agree with Zoredache. – Andrew B Oct 09 '14 at 05:25
@AndrewB Which order are you talking about ? – Xavier Lucas Oct 09 '14 at 07:35
The networking challenges have to be solved before the ACL will be meaningful. – Andrew B Oct 09 '14 at 13:09
@AndrewB Oh yeah, sure. Didn't say there was an order, just that he had to do both :) – Xavier Lucas Oct 09 '14 at 14:10

bind9 proper recursion setup

1 Answers1