Re: forward zone

Sat, 27 Oct 2018 05:36:01 -0700 

Le 27/10/2018 à 14:13, Matus UHLAR - fantomas a écrit :


On 27.10.18 13:53, Frédéric Lochon wrote:

This is what I wanted to do. But allow-query and allow-recursion are 
not allowed inside a zone of type forward.



aha. I haven't looked at possibbility of allow-recursion for "type 
forward"
zone. allow-query still seems to be supported, even if it ouldn't 
forward...




allow-query is not allowed, at least on my BIND:


Oct 27 14:18:49 named[4703]: /etc/bind/named.conf:186: option 
'allow-query' is not allowed in 'forward' zone '.......'



allow-recursion can only exist in "options" section, but that's probably 
not a problem. I guess I can allow-recursion for everybody as long as 
there is an adequate allow-query option (but I still need to check this).



At the beginning I wanted to detect some specific DNS queries on my 
BIND.
Those queries are dummy (answers too...). It's used by some IoT 
devices to send "heartbeats" by using open access points with captive 
portal (usually, DNS queries are sent even if you don't authenticate).


IoT devices in your network should have recursion allowed.



On my network it's OK.


But it's not OK outside. And this is what I'm trying to do: I want to 
use open access point I found in the neighborhood because my devices 
will travel all over my city.



So my first idea was to use BIND logging capabilities, but that's not 
applicable because BIND only log everything or nothing.



So, I decided to write my own DNS server which would detect those 
queries, and because I have only 1 IPv4, I would let BIND forward the 
queries to my custom server (running on the same IP but another port).


Thus, slaving is not possible, as queries would be seen only by BIND.


because of caching by BIND, the other server would only see some of those
queries too.



Only few queries per day will be sent, so I can adjust the TTL accordingly.

--

Frédéric Lochon

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to