Re: Queries regarding forwarders
On 10/25/2018 06:26 PM, Lee wrote: If you're using those addresses internally it makes sense to filter them from 'outside'. That's what I thought. I play those games at times also :) So it sounds like what I was missing is that you like a challenge & are using more address space that I thought. Games are good learning opportunities. I don't know if I'm /using/ the address space per say or not. I do have 12 /24 non-globally routed networks that aren't from RFC 1918 address space. Mainly because I can and the address space makes it easy to do. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/25/18, Grant Taylor via bind-users wrote: > On 10/25/2018 03:25 PM, Lee wrote: > >> I'm missing what filtering out things like benchmarking & documentation >> network addrs gets you beyond maybe saving some bandwidth? > > I do use all sorts of IP ranges (test networks extensively) in my home / > lab networks. So I'd really rather external things not resolve to an > address that I may be using. But that's me being atypical. If you're using those addresses internally it makes sense to filter them from 'outside'. >> Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking >> get you that you don't get by blocking them on your edge routers? > > Defense in depth. > > It's more of an exercise of can it be done. Read: Can I concoct > something that will receive feed from Team Cymru's BGP Bogon Rout Server > and turn it into an RPZ. I play those games at times also :) So it sounds like what I was missing is that you like a challenge & are using more address space that I thought. Regards, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/25/2018 03:25 PM, Lee wrote: I feel like I'm missing something :( I'll see if I can fill in below. I read this https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 and used RPZ to block anything coming from outside that might be an internal address. I'll read that and reply later if I feel it's warranted. I'm missing what filtering out things like benchmarking & documentation network addrs gets you beyond maybe saving some bandwidth? Probably not much for most people. I do use all sorts of IP ranges (test networks extensively) in my home / lab networks. So I'd really rather external things not resolve to an address that I may be using. But that's me being atypical. Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking get you that you don't get by blocking them on your edge routers? Defense in depth. It's more of an exercise of can it be done. Read: Can I concoct something that will receive feed from Team Cymru's BGP Bogon Rout Server and turn it into an RPZ. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 10/24/18, Grant Taylor via bind-users wrote: > On 08/09/2018 01:01 AM, Lee wrote: >> it does, so you have to flag your local zones as rpz-passthru. > > Thank you again Lee. You gave me exactly what I needed and wanted to know. you're welcome :) > I finally got around to configuring my RPZ to filter IPv4 > Special-Purpose Address Registry as per IANA's definition. > (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1) > > I am also happily using rpz-passthru for my local domain(s) that resolve > to filtered IPs. > > Now I'm pontificating augmenting my RPZ to also filter replies that > resolve to IPv4 BOGONs. (Received via BGP feed with Team Cymru.) I feel like I'm missing something :( I read this https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 and used RPZ to block anything coming from outside that might be an internal address. I'm missing what filtering out things like benchmarking & documentation network addrs gets you beyond maybe saving some bandwidth? Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking get you that you don't get by blocking them on your edge routers? Thanks, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 08/09/2018 01:01 AM, Lee wrote: it does, so you have to flag your local zones as rpz-passthru. Thank you again Lee. You gave me exactly what I needed and wanted to know. I finally got around to configuring my RPZ to filter IPv4 Special-Purpose Address Registry as per IANA's definition. (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1) I am also happily using rpz-passthru for my local domain(s) that resolve to filtered IPs. Now I'm pontificating augmenting my RPZ to also filter replies that resolve to IPv4 BOGONs. (Received via BGP feed with Team Cymru.) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
Well this is valid when users are directly talking to RPZ servers. What if there is one more resolver in between like Active Directory which itself acts as a DNS server? In that case I believe you don't need to do that, right? On Fri, Aug 10, 2018 at 12:33 AM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 08/09/2018 01:01 AM, Lee wrote: > > yes, it works just fine > > Good. > > > it does, so you have to flag your local zones as rpz-passthru. eg: > > *.home.net CNAME rpz-passthru. > > localhost CNAME rpz-passthru. > > 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 > > 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 > > 12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12 > > 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 > > That makes sense. RPZ would filter the private IPs by default, but > zones with said records can be told to not be blocked by RPZ. > > Thank you for the clarification Lee. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 08/09/2018 01:01 AM, Lee wrote: yes, it works just fine Good. it does, so you have to flag your local zones as rpz-passthru. eg: *.home.net CNAME rpz-passthru. localhost CNAME rpz-passthru. 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 That makes sense. RPZ would filter the private IPs by default, but zones with said records can be told to not be blocked by RPZ. Thank you for the clarification Lee. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 8/9/18, Grant Taylor via bind-users wrote: > On 08/08/2018 10:02 PM, Blason R wrote: >> Due to the architecture since I have my internal DNS RPZ built I wanted >> my other internal DNS servers should send traffic to RPZ server and >> then RPZ would resolve on behalf of client. > > Speaking of PRZ and forwarding… > > Does anyone know off hand if BIND, with RPZ configured to filter answers > that resolve to private IPs, can actually respond with private answers > from a local authoritative zone? yes, it works just fine > My long standing fear is that RPZ would filter replies from local > authoritative zones. it does, so you have to flag your local zones as rpz-passthru. eg: *.home.net CNAME rpz-passthru. localhost CNAME rpz-passthru. 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 Regards, Lee ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 08/08/2018 10:02 PM, Blason R wrote: Due to the architecture since I have my internal DNS RPZ built I wanted my other internal DNS servers should send traffic to RPZ server and then RPZ would resolve on behalf of client. Speaking of PRZ and forwarding… Does anyone know off hand if BIND, with RPZ configured to filter answers that resolve to private IPs, can actually respond with private answers from a local authoritative zone? My long standing fear is that RPZ would filter replies from local authoritative zones. Thus I would want my recursive resolver, hosting zones with private IPs, to forward to an RPZ server. Thus allowing me to return private IPs from authoritative zones while filtering private IPs from other external queries. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
Hi there, Due to the architecture since I have my internal DNS RPZ built I wanted my other internal DNS servers should send traffic to RPZ server and then RPZ would resolve on behalf of client. Client --->DNS AUTH Server for xyz.com===> Fporwarder ==> 192.168.3.44===> INTERNET On Wed, Aug 8, 2018 at 10:26 PM Matus UHLAR - fantomas wrote: > On 08.08.18 19:32, Blason R wrote: > >I am bit confused about DNS forwarders. I have two BIND Servers one is > >being used as Authoritative DNS server which has forwarder set > > why? > > > to other > >server like this > > > >Auth Server for xvyz.com 192.168.3.15 > >Recursive Server 192.168.3.44 > > > >Now if I am debugging from client side using -debug option I see > >192.168.3.15 is directly resolving with ROOT DNS Servers though I have > >recursive no; option set in my BIND config. > > BIND has internal list of root servers. > > > Ideally the query should have > >gone to 192.168.3.44 but in debug I am seeing the below output. > > ideally you would not use forwarder on BIND, unless you really must. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > If Barbie is so popular, why do you have to buy her friends? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
On 08.08.18 19:32, Blason R wrote: I am bit confused about DNS forwarders. I have two BIND Servers one is being used as Authoritative DNS server which has forwarder set why? to other server like this Auth Server for xvyz.com 192.168.3.15 Recursive Server 192.168.3.44 Now if I am debugging from client side using -debug option I see 192.168.3.15 is directly resolving with ROOT DNS Servers though I have recursive no; option set in my BIND config. BIND has internal list of root servers. Ideally the query should have gone to 192.168.3.44 but in debug I am seeing the below output. ideally you would not use forwarder on BIND, unless you really must. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
In article , Blason R wrote: > Hi there, > > I am bit confused about DNS forwarders. I have two BIND Servers one is > being used as Authoritative DNS server which has forwarder set to other > server like this > > Auth Server for xvyz.com 192.168.3.15 > Recursive Server 192.168.3.44 > > Now if I am debugging from client side using -debug option I see > 192.168.3.15 is directly resolving with ROOT DNS Servers though I have > recursive no; option set in my BIND config. Ideally the query should have > gone to 192.168.3.44 but in debug I am seeing the below output. The response says "recursion available". Are you sure you disabled recursion? Note that if you want to use forwarders, you have to enable recursion. Forwarding is only done when the server is recursing, it tells it to send to the forwarder instead of the servers named in the NS records. What makes you think the server is directly resolving instead of going to the forwarder? There's nothing in the response that tells you where it got the answer from. > > Well how do I trace if forwarding is happening? > > > C:\Users\Administrator>nslookup -type=a -debug www.cisco.com > > Got answer: > HEADER: > opcode = QUERY, id = 1, rcode = NOERROR > header flags: response, auth. answer, want recursion, recursion > questions = 1, answers = 1, authority records = 2, additional > > QUESTIONS: > 15.3.168.192.in-addr.arpa, type = PTR, class = IN > ANSWERS: > -> 15.3.168.192.in-addr.arpa > name = dns.xyz.com > ttl = 10800 (3 hours) > AUTHORITY RECORDS: > -> 3.168.192.in-addr.arpa > nameserver = dns02.xyz.com > ttl = 10800 (3 hours) > -> 3.168.192.in-addr.arpa > nameserver = dns.xyz.com > ttl = 10800 (3 hours) > ADDITIONAL RECORDS: > -> dns.xyz.com > internet address = 192.168.3.15 > ttl = 10800 (3 hours) > -> dns02.xyz.com > internet address = 192.168.3.14 > ttl = 10800 (3 hours) > > > Server: dns.xyz.com > Address: 192.168.3.15 > > > Got answer: > HEADER: > opcode = QUERY, id = 2, rcode = NOERROR > header flags: response, want recursion, recursion avail. > questions = 1, answers = 5, authority records = 13, additiona > > QUESTIONS: > www.cisco.com, type = A, class = IN > ANSWERS: > -> www.cisco.com > canonical name = www.cisco.com.akadns.net > ttl = 838 (13 mins 58 secs) > -> www.cisco.com.akadns.net > canonical name = wwwds.cisco.com.edgekey.net > ttl = 299 (4 mins 59 secs) > -> wwwds.cisco.com.edgekey.net > canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns. > ttl = 14531 (4 hours 2 mins 11 secs) > -> wwwds.cisco.com.edgekey.net.globalredir.akadns.net > canonical name = e2867.dsca.akamaiedge.net > ttl = 3599 (59 mins 59 secs) > -> e2867.dsca.akamaiedge.net > internet address = 23.57.126.108 > ttl = 19 (19 secs) > AUTHORITY RECORDS: > -> net > nameserver = a.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = l.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = e.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = i.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = d.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = f.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = b.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = h.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = g.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = c.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = k.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = j.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > -> net > nameserver = m.gtld-servers.net > ttl = 4663 (1 hour 17 mins 43 secs) > ADDITIONAL RECORDS: > -> m.gtld-servers.net > internet address = 192.55.83.30 > ttl = 103500 (1 day 4 hours 45 mins) > -> m.gtld-servers.net > IPv6 address = 2001:501:b1f9::30 > ttl = 163960 (1 day 21 hours 32 mins 40 secs) > -> d.gtld-servers.net > internet address = 192.31.80.30 > ttl = 77579 (21 hours 32 mins 59 secs) > > > Non-authoritative answer: > Name:e2867.dsca.akamaiedge.net > Address: 23.57.126.108 > Aliases: www.cisco.com >
Queries regarding forwarders
Hi there, I am bit confused about DNS forwarders. I have two BIND Servers one is being used as Authoritative DNS server which has forwarder set to other server like this Auth Server for xvyz.com 192.168.3.15 Recursive Server 192.168.3.44 Now if I am debugging from client side using -debug option I see 192.168.3.15 is directly resolving with ROOT DNS Servers though I have recursive no; option set in my BIND config. Ideally the query should have gone to 192.168.3.44 but in debug I am seeing the below output. Well how do I trace if forwarding is happening? C:\Users\Administrator>nslookup -type=a -debug www.cisco.com Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion questions = 1, answers = 1, authority records = 2, additional QUESTIONS: 15.3.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 15.3.168.192.in-addr.arpa name = dns.xyz.com ttl = 10800 (3 hours) AUTHORITY RECORDS: -> 3.168.192.in-addr.arpa nameserver = dns02.xyz.com ttl = 10800 (3 hours) -> 3.168.192.in-addr.arpa nameserver = dns.xyz.com ttl = 10800 (3 hours) ADDITIONAL RECORDS: -> dns.xyz.com internet address = 192.168.3.15 ttl = 10800 (3 hours) -> dns02.xyz.com internet address = 192.168.3.14 ttl = 10800 (3 hours) Server: dns.xyz.com Address: 192.168.3.15 Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 5, authority records = 13, additiona QUESTIONS: www.cisco.com, type = A, class = IN ANSWERS: -> www.cisco.com canonical name = www.cisco.com.akadns.net ttl = 838 (13 mins 58 secs) -> www.cisco.com.akadns.net canonical name = wwwds.cisco.com.edgekey.net ttl = 299 (4 mins 59 secs) -> wwwds.cisco.com.edgekey.net canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns. ttl = 14531 (4 hours 2 mins 11 secs) -> wwwds.cisco.com.edgekey.net.globalredir.akadns.net canonical name = e2867.dsca.akamaiedge.net ttl = 3599 (59 mins 59 secs) -> e2867.dsca.akamaiedge.net internet address = 23.57.126.108 ttl = 19 (19 secs) AUTHORITY RECORDS: -> net nameserver = a.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = l.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = e.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = i.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = d.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = f.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = b.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = h.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = g.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = c.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = k.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = j.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = m.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) ADDITIONAL RECORDS: -> m.gtld-servers.net internet address = 192.55.83.30 ttl = 103500 (1 day 4 hours 45 mins) -> m.gtld-servers.net IPv6 address = 2001:501:b1f9::30 ttl = 163960 (1 day 21 hours 32 mins 40 secs) -> d.gtld-servers.net internet address = 192.31.80.30 ttl = 77579 (21 hours 32 mins 59 secs) Non-authoritative answer: Name:e2867.dsca.akamaiedge.net Address: 23.57.126.108 Aliases: www.cisco.com www.cisco.com.akadns.net wwwds.cisco.com.edgekey.net wwwds.cisco.com.edgekey.net.globalredir.akadns.net C:\Users\Administrator> ** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users