Re: Trouble with OpenBSD 4.2 DNS server setup
On Thu, 8 May 2008 00:03:30 -0500, Sam Fourman Jr. wrote: On Wed, May 7, 2008 at 10:41 PM, Jon Radel [EMAIL PROTECTED] wrote: Sam Fourman Jr. wrote: I assume that if I want to host email for 10 different domains I have If you're currently using a setup that involves the same IP address for both authoritative (domains you host) and recursive queries (client DNS requests), you should get these split onto separate addresses. What I am really after is, well it is probably a fine line the most secure DNS can be while still providing the outside world recursive queries. because there is no real (sane) way to host email servers and not provide recursive queries. Why do you believe that? Nobody's DNS ever needs to provide recursion for any but its local users and hosting mailservers doesn't change anything. Try googling for: dns recursion bad or just read http://tinyurl.com/58wv6m for an example of what you can let yourseld in for. Even Microsoft knows better. (5th link found by Google) and the 4th link is a pdf from us-cert.gov about The Continuing Denial of Service Threat Posed by DNS Recursion botnets and phishers will love you if you don't block recursive queries from outside your citadel. Sam Fourman Jr. You don't need to CC me. I'm subscribed. Replies to my list address (From:) get tarpitted except from the list servers. Reply-to: works fine though, but you don't need it. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 11:03 PM, Sam Fourman Jr. [EMAIL PROTECTED] wrote: On Wed, May 7, 2008 at 10:41 PM, Jon Radel [EMAIL PROTECTED] wrote: ... If you're currently using a setup that involves the same IP address for both authoritative (domains you host) and recursive queries (client DNS requests), you should get these split onto separate addresses. What I am really after is, well it is probably a fine line the most secure DNS can be while still providing the outside world recursive queries. because there is no real (sane) way to host email servers and not provide recursive queries. We all agree that you need to provide recursive DNS service to the hosts that are your MTAs and that you need to answer DNS queries about your own zones from any host out there. However, you do not need to provide *recursive* service to random outside hosts on the Internet at large in order to send and receive email. That is, your servers can and should refuse to answer a DNS query that asked for, for example, the address of www.openbsd.org. If you think otherwise, please cite references. Philip Guenther
Re: Trouble with OpenBSD 4.2 DNS server setup
On Thu, May 08, 2008 at 12:03:30AM -0500, Sam Fourman Jr. wrote: On Wed, May 7, 2008 at 10:41 PM, Jon Radel [EMAIL PROTECTED] wrote: Sam Fourman Jr. wrote: (...) I want to host email for 10 different domains (...) If you're currently using a setup that involves the same IP address for both authoritative (domains you host) and recursive queries (client DNS requests), you should get these split onto separate addresses. What I am really after is, well it is probably a fine line the most secure DNS can be while still providing the outside world recursive queries. because there is no real (sane) way to host email servers and not provide recursive queries. Are you *sure* you don't mean while still providing the _internal network_ recursive queries or not provide _reverse_ queries? Really, really sure? I would dispute the necessity of either, at least for a modest setup, but I will agree that both are helpful: a caching nameserver can speed up name resolution, potentially increasing throughput on a busy server; a proper reverse DNS can help get past spam filters. But providing all of the world access to recursive DNS is not a good idea, and certainly not necessary. Joachim -- TFMotD: zmore, zless (1) - view compressed files
Re: Trouble with OpenBSD 4.2 DNS server setup
Are you *sure* you don't mean while still providing the _internal network_ recursive queries or not provide _reverse_ queries? Really, really sure? no I am not sure, My DNS skills are not what they need to be. I am working on improving them. I am just getting tired of the endless worms and spyware that somehow finds it way onto a windows 2000 server. hell there isn't even a monitor on that computer, other than windows update it has never even browsed the web. so I decided it was time to brush up on my skills and ditch the windows DNS. what I have found out since I made this post is that recursion has not much to do with reverse lookup. it would appear that I was confused. I really do thank everyone for their input it is helpful. Sam Fourman Jr.
Re: Trouble with OpenBSD 4.2 DNS server setup
On 2008/05/07 19:21, Sam Fourman Jr. wrote:
I assume that if I want to host email for 10 different domains I have
to have these set
allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
so if I understand this, the correct way to setup DNS
is to have one nameserver do just recursive quires
and a separate name server on a separate ip address have the actual domain
files
That's how I usually do things, it gives a clear separation, and
most people don't need a powerful machine to host authoritative dns.
Other options include running two daemons bound to different
addresses (I have some systems where I do this, usually with nsd
for auth, BIND for resolver), or using one daemon with views
and match-destinations.
It's also possible to use views with match-clients, but I'm
not keen on this, it makes things difficult when customers transfer
a domain away, and makes it hard to filter or separate things onto
different machines if you want to do that sometime.
I also usually run named on mail servers, just answering to
localhost queries, forwarding to a main resolver - this saves a
bunch of local network traffic when you have messages stuck in
queues.
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 3:56 PM, Sam Fourman Jr. [EMAIL PROTECTED] wrote: ... now that I am trying to host a mail server, I found out my reverse lookup is not working correctly we have a /25 ip block on our T1 ... however if I change my name server to a local ISP (that I do not use for service) my output is as follows Sam$ nslookup 12.192.128.135 Server: 209.103.196.2 Address:209.103.196.2#53 ** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN How is a DNS client supposed to know that your server should be queried for that information? It asks the servers for the nearest parent zone (192.12.in-addr.arpa) and gets back NS records for your server. It's not working because that parent zone doesn't have those records and therefore isn't delegating the domain to you. So, you need to talk with the people from whom you got that /25 allocation and tell them the names of your authoritative servers and their IP addresses so that they can add the necessary NS records to their zone, pointing at your servers. (The above contains some gross simplifications; go read the DNS nutshell book from O'Reilly for the full details.) Philip Guenther
Re: Trouble with OpenBSD 4.2 DNS server setup
On 2008-05-07, Sam Fourman Jr. [EMAIL PROTECTED] wrote:
here is my trouble, if i use nslookup from a computer that is set to
use my name server(ns.wiscdns.com)
my output is as follows:
Sam# nslookup 12.192.128.135
Server: 12.192.128.131
Address: 12.192.128.131#53
135.128.192.12.in-addr.arpa name = pop3.DigitalDataWeb.Com.
If I query your server directly I get that too.
however if I change my name server to a local ISP (that I do not use
for service)
my output is as follows
Sam$ nslookup 12.192.128.135
Server: 209.103.196.2
Address: 209.103.196.2#53
** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN
Your ISP has not delegated or CNAMEd 135.128.192.12.in-addr.arpa
to direct people doing the lookups to contact your server. Using
dig, compare a query for 135.128.192.12.in-addr.arpa ANY with
a query for 1.128.192.12.in-addr.arpa ANY.
Since you are in a subnet that is not on an exact byte boundary
(/8 /16 /24) the normal way is to ask your ISP to configure CNAMEs,
with your /25 you will probably get CNAMEs like this:
128.128/25.128.192.12.in-addr.arpa.
129.128/25.128.192.12.in-addr.arpa.
130.128/25.128.192.12.in-addr.arpa.
131.128/25.128.192.12.in-addr.arpa.
132.128/25.128.192.12.in-addr.arpa.
..you get the picture..
and you will then have to configure named to answer authoritatively
for 128/25.128.192.12.in-addr.arpa, and set your PTR up in that zone
instead, like:
135.128/25.128.192.12.in-addr.arpa. CNAME pop3.DigitalDataWeb.com.
I assume that if I want to host email for 10 different domains I have
to have these set
allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
auth-nxdomain yes;
I haven't used bind for authoritative dns for a while, but I don't
think this makes a difference for domains you're authoritative
for. AIUI it just forces authoritative answer to be set on any
NXDOMAIN response, even if you're not authoritative for that
domain.
I am open to any suggestions anyone has, because this is my first set
of BSD based name servers
This isn't OS-specific, it's just that Windows DNS server tends
to do a bunch of things that it doesn't show you so you don't
get to see what's happening.
Re: Trouble with OpenBSD 4.2 DNS server setup
I assume that if I want to host email for 10 different domains I have
to have these set
allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
so if I understand this, the correct way to setup DNS
is to have one nameserver do just recursive quires
and a separate name server on a separate ip address have the actual domain files
Sam Fourman Jr.
Re: Trouble with OpenBSD 4.2 DNS server setup
Sam Fourman Jr. wrote:
I assume that if I want to host email for 10 different domains I have
to have these set
allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
so if I understand this, the correct way to setup DNS
is to have one nameserver do just recursive quires
and a separate name server on a separate ip address have the actual domain
files
Ah, you go wrong right at the start, when you use the phrase the
correct way. ;-) There are many ways of doing this, and a fair number
of them are arguably correct. (Obviously many of the others range from
silly to really, really bad.) I suspect that Stuart Henderson and I
will just have to agree to respectfully disagree, a bit.
It is true that one of the easier ways of distinguishing between
providing recursive lookups for local resolvers and providing
non-recursive lookups of authoritative data for the world at large is to
simply run two servers on two IP addresses. Easier to prove that you've
locked things down appropriately, makes firewalling the former possible,
allows you to grow the two servers onto separate pieces of hardware if
you grow (I once got to watch an ISP split their DNS servers into pieces
when their hardware started staggering under the load--it was much more
painful than it had to be).
However, if you're not rolling in IP addresses and are pretty sure that
big growth is not in your DNS servers future, you can get pretty close
with some ACLs. For example, I have some servers which have something
along the lines of:
acl clients { all the local ip addresses allowed to do recursive
lookups };
acl nameservers { all secondary namservers and management stations
allowed to do zone transfers };
options {
allow-query {clients; };
allow-recursion {clients; };
allow-transfer {nameservers; };
};
zone example.com in {
type master;
file master/db.example.com;
allow-query { any; };
};
The upshot is that client addresses can send queries, including
recursive ones, for anything. The rest of the world can only send
non-recursive queries for the zones for which this server is authoritative.
--Jon Radel
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 10:41 PM, Jon Radel [EMAIL PROTECTED] wrote: Sam Fourman Jr. wrote: I assume that if I want to host email for 10 different domains I have If you're currently using a setup that involves the same IP address for both authoritative (domains you host) and recursive queries (client DNS requests), you should get these split onto separate addresses. What I am really after is, well it is probably a fine line the most secure DNS can be while still providing the outside world recursive queries. because there is no real (sane) way to host email servers and not provide recursive queries. Sam Fourman Jr.
