Re: Authoritative dns with private IP for hostname

2018-07-27 Thread Grant Taylor via bind-users 

On 07/27/2018 09:59 AM, Elias Pereira wrote:

hello,


Hi,

Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname, 
example, wordpress.mydomain.tdl with a private IP?


Yes, an authoritative DNS server can have a private 
(non-globally-routed) IP address in the zone data.


However, there is a catch.

Would this be accessible from the internet via hostname, if I did a nat 
on the firewall?


It would (extremely likely) ONLY be accessible from the private 
(non-globally-routed) LAN.  Even that wouldn't require NAT because 
clients would be on the LAN and access it directly without passing 
through the NAT router.


I don't think this will do what (I'm guessing) you want to do.

I suspect you want to have a server with a private IP be accessible via 
domain name from outside the network.


To do this, do the following things:

1)  Enter the outside static IP address of the NAT in DNS for the hostname.
2)  Configure NAT to (port) forward the traffic you are interested in 
from the outside into the server's internal IP.


This will allow the world to access the service(s) in question.

To help the internal clients, set up an additional DNS zone (that is 
only accessed by internal clients) that is the FQDN of the hostname and 
put an A /  record in the zone's apex that resolves to the internal IP.


;
; External / Global / Public DNS zone file for example.net
;
$ORIGIN example.net.
...
myservice   IN  A   203.0.113.123



;
; Internal / Private DNS zone file for service.example.net
;
$ORIGIN myservice.example.net.
IN  A   192.168.1.234


This will cause the world to resolve myservice.example.net. to 
203.0.113.123 and clients inside the LAN to resolve 
myservice.example.net. to 192.168.1.234.


I'm assuming that NAT is configured to port forward the desired ports 
for 203.0.113.123 to 192.168.1.234.


I think this will do what I think you are wanting to do.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL and peak utilization

2018-07-27 Thread Alex 
Hi, I'm still having a problem and haven't received any replies. Is
there anyone with any ideas on how to troubleshoot this?

What other information can I provide to help troubleshoot this?



On Thu, Jul 26, 2018 at 5:49 PM, Alex  wrote:
> Hi, here is some further debugging on what I believe are queries
> involving SERVFAIL:
>
> 26-Jul-2018 17:44:40.168 query-errors: debug 1: client @0x7fbee80f39b0
> 127.0.0.1#61547 (69.248.70.96.bad.psky.me): query failed (SERVFAIL)
> for 69.248.70.96.bad.psky.me/IN/A at ../../../bin/named/query.c:8580
> 26-Jul-2018 17:44:40.168 query-errors: debug 2: fetch completed at
> ../../../lib/dns/resolver.c:3927 for 69.248.70.96.bad.psky.me/A in
> 10.96: timed out/success
> [domain:psky.me,referral:1,restart:2,qrysent:4,timeout:3,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 26-Jul-2018 17:44:40.172 query-errors: debug 1: client @0x7fbed81218a0
> 127.0.0.1#61547 (176.216.85.209.psbl.surriel.com): query failed
> (SERVFAIL) for 176.216.85.209.psbl.surriel.com/IN/A at
> ../../../bin/named/query.c:8580
> 26-Jul-2018 17:44:40.172 query-errors: debug 2: fetch completed at
> ../../../lib/dns/resolver.c:3927 for 176.216.85.209.psbl.surriel.com/A
> in 10.000128: timed out/success
> [domain:psbl.surriel.com,referral:2,restart:1,qrysent:2,timeout:1,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 26-Jul-2018 17:44:40.173 query-errors: debug 1: client @0x7fbedc134ed0
> 127.0.0.1#61547 (176.216.85.209.dnsbl-3.uceprotect.net): query failed
> (SERVFAIL) for 176.216.85.209.dnsbl-3.uceprotect.net/IN/A at
> ../../../bin/named/query.c:8580
> 26-Jul-2018 17:44:40.173 query-errors: debug 2: fetch completed at
> ../../../lib/dns/resolver.c:3927 for
> 176.216.85.209.dnsbl-3.uceprotect.net/A in 10.97: timed
> out/success 
> [domain:dnsbl-3.uceprotect.net,referral:2,restart:1,qrysent:2,timeout:1,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>
> There appears to be a few timeout errors. Is this an indication there
> is a performance problem with the cable modem or connection?
>
> Thanks,
> Alex
>
>
> On Thu, Jul 26, 2018 at 1:57 PM, John Miller  wrote:
>> Hi Alex,
>>
>> What does your query volume look like on this server?  Depending on
>> volume, the BIND defaults for:
>>
>> - clients-per-query
>> - max-clients-per-query
>> - recursive-clients
>> - tcp-clients
>>
>> and others may not be set high enough.  Check pp. 106-108 in the
>> latest 9.11 manual for more details on each of these.
>>
>> Of course, if you're only seeing SERVFAIL for a handful of domains,
>> then they may have some sort of delegation issue, or there might be a
>> network issue between your caching servers and them.
>>
>> John
>>
>>
>> On Thu, Jul 26, 2018 at 1:07 PM, Alex  wrote:
>>> Hi,
>>>
>>> I have a bind-9.11.4 server on a fedora28 system and are frequently
>>> seeing SERVFAIL errors like this:
>>>
>>> 26-Jul-2018 12:54:04.255 query-errors: info: client @0x7f764314a5c0
>>> 127.0.0.1#50719 (223.178.102.199.cidr.bl.mcafee.com): query failed
>>> (SERVFAIL) for 223.178.102.199.cidr.bl.mcafee.com/IN/A at
>>> ../../../bin/named/query.c:4140
>>>
>>> I believe this happens more frequently at times of peak link
>>> utilization, but it also appears to happen during normal times.
>>>
>>> This is a local caching server I've set up but it also appears to
>>> exist on other systems that have been set up to be authoritative for
>>> our domain.
>>>
>>> How can I troubleshoot this further?
>>>
>>> Here is the named.conf for this caching server:
>>>
>>> acl "trusted" {
>>> { 127/8; };
>>> { 68.195.191.40/29; };
>>> { 192.168.1.0/24; };
>>> { 107.155.67.2/32; };
>>> };
>>>
>>> options {
>>> listen-on port 53 { 127.0.0.1; 68.195.191.45; };
>>> listen-on-v6 port 53 { none; };
>>> directory "/var/named";
>>> dump-file "/var/named/data/cache_dump.db";
>>> statistics-file "/var/named/data/named.stats"; // 
>>> _PATH_STATS
>>> memstatistics-file "/var/named/data/named.memstats";   // 
>>> _PATH_MEMSTATS
>>> allow-query { trusted; };
>>> recursion yes;
>>> zone-statistics yes;
>>>
>>> // dnssec-enable yes;
>>> // dnssec-validation yes;
>>> // dnssec-lookaside auto;
>>>
>>> dnssec-enable no;
>>> dnssec-validation no;
>>> dnssec-lookaside no;
>>>
>>> /* Path to ISC DLV key */
>>> bindkeys-file "/etc/named.iscdlv.key";
>>>
>>> managed-keys-directory "/var/named/dynamic";
>>>
>>> };
>>>
>>> logging {
>>> channel default_debug {
>>> file "data/named.run";
>>> severity dynamic;
>>> };
>>>
>>> // Record all queries to the box for now
>>> channel query_info {
>>>severity info;
>>>file "/var/log/named.query.log" versions 3 size 10m;
>>>print-time yes;
>>>print-category yes;
>>>  };
>>>
>>> // added for fail2ban support
>>> channel security_file {
>>>severity dynamic;
>>>file

Re: Authoritative dns with private IP for hostname

2018-07-27 Thread Greg Rivers 
In summary, all of the advice you received on this thread regarding the 
publishing of private IPs in DNS is correct:

• As I told you, on a purely practical level, it won't work because private 
addresses aren't routable on the Internet.

• As Kevin told you, there are myriad security ramifications, as everyone and 
no one controls routing of private addresses locally.

• As Timothe told you, views can be used effectively, though as things scale 
up, your ability to use views will hinge on your ability to manage them.

To provide service to the Internet, you need a public IP. It may be that we 
misunderstood the wording of your question. If your actual question was "can I 
publish a public IP in DNS and NAT it to a private IP behind my firewall", then 
of course the answer is "yes". Otherwise, trust the given advice.

-- 
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Authoritative dns with private IP for hostname

2018-07-27 Thread Timothe Litt 

On 27-Jul-18 11:59, Elias Pereira wrote:
> hello,
>
> Can an authoritative dns for a domain, eg mydomain.tdl, have a
> hostname, example, wordpress.mydomain.tdl with a private IP?
>
> Would this be accessible from the internet via hostname, if I did a
> nat on the firewall?
>
> -- 
> Elias Pereira

No.  Two issues seem to be conflated here.

For DNS, what you probably want is a setup with views; that way the site
will resolve to the private IP address from inside your site, but to the
external address from outside.

For making your servers accessible, NAT will probably be necessary for
the webserver and the DNS server inside your firewall to be accessible
from outside.  Your secondary DNS servers are required to be
geographically separate.  So either you have another location with a
firewall (where you again NAT), or you use a secondary DNS service.

Views are in the bind ARM, and have been discussed on this list before.

There are some middleboxes (among them Cisco Routers) that do attempt to
rewrite DNS records on the fly in a NAT like fashion.  Stay away from
those.  They tend to break things in the best of circumstances, and
absolutely break DNSSEC.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tool for finding undelegated children in your DNS

2018-07-27 Thread Chris Thompson 

On Jul 27 2018, Timothe Litt wrote:

[...]

If you want to do this validation with zone files, then text tools (e.g.
a Perl, awk, etc) are a reasonable approach.  It would not be
particularly difficult - though you do have to handle include files. 
Rather than working from zone files, the easiest approach is to do a dig

axfr to get the actual zone...


If you do need to work from the zone files, I would strongly recommend
normalising them with "name-checkzone -o outfile zonename infile" or
an equivalent, before trying to unpick them with "Perl, awk, etc".

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Authoritative dns with private IP for hostname

2018-07-27 Thread Darcy Kevin (FCA) 
RFC 1918 forbade the publishing of private addresses outside of the enterprise:

"Indirect references to [private] addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."

Having said that, however, BIND doesn't prevent you publishing such addresses 
to the Internet, since it doesn't really know -- *cannot* know, in advance -- 
whether the data is going to be queried from the Internet or not.

I'm not aware of ISPs that filter customer DNS traffic for RFC 1918 addresses 
either.

As Greg pointed out, the addresses aren't going to be routable anyway, but even 
in the absence of routability, there are Information Security concerns: if 
someone -- let's call them a business partner -- trusts your DNS *domain*, and 
you publish private addresses associated with names in that domain, then a 
malicious actor could potentially exploit that trust to gain access to the 
business partner's resources, e.g. trick their browser into connecting to an 
internal resource on their network, that happens to have the same private 
address as what you published. Business partner trusts example.com (your 
domain), nat.example.com resolves to 10.1.1.1, malicious actor redirects a 
website reference to nat.example.com (which you trust) and this gives them 
unintentional, unauthorized access to 10.1.1.1 on business partner's network.

The basic Information Security problem with private addresses is that they are 
*non-unique*. This introduces ambiguity, and ambiguity produces surprises and 
can be exploited. Best to keep everything to do with private addresses and 
private namespaces within your own organization (and yes, I understand the 
general trend towards "eliminating the perimeter", but this needs to be done in 
a methodical, careful way).


- Kevin


-Original Message-
From: bind-users  On Behalf Of Greg Rivers
Sent: Friday, July 27, 2018 12:07 PM
To: Elias Pereira 
Cc: bind-users@lists.isc.org
Subject: Re: Authoritative dns with private IP for hostname

On Friday, July 27, 2018 12:59:42 Elias Pereira wrote:
> Can an authoritative dns for a domain, eg mydomain.tdl, have a 
> hostname, example, wordpress.mydomain.tdl with a private IP?
> 
Yes, but that won't be useful outside of your LAN.

> Would this be accessible from the internet via hostname, if I did a 
> nat on the firewall?
>
No, by definition, private addresses are not routable on the Internet.

--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Authoritative dns with private IP for hostname

2018-07-27 Thread Greg Rivers 
On Friday, July 27, 2018 12:59:42 Elias Pereira wrote:
> Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname,
> example, wordpress.mydomain.tdl with a private IP?
> 
Yes, but that won't be useful outside of your LAN.

> Would this be accessible from the internet via hostname, if I did a nat on
> the firewall?
>
No, by definition, private addresses are not routable on the Internet.

-- 
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Authoritative dns with private IP for hostname

2018-07-27 Thread Elias Pereira 
hello,

Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname,
example, wordpress.mydomain.tdl with a private IP?

Would this be accessible from the internet via hostname, if I did a nat on
the firewall?

-- 
Elias Pereira
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tool for finding undelegated children in your DNS

2018-07-27 Thread Timothe Litt 
On 26-Jul-18 19:46, Victoria Risk wrote:
> I have been told this is a very poor description of the problem.
>
> What I am concerned about is, how people with a sort of lazy zone file
> can assess the potential impact of QNAME minimization on their ability
> to answer for all of their zones.
>
> I have gotten two suggestions off list:
> - I would use named-checkzone to print the zone with all owner names
> printed out and then use text processing tools
> - “dig ds -f list-of-zones”, Those that return NXDOMAIN are likely
> missing NS records.
>
> Any other ideas?
> Has anyone done this kind of housekeeping on their own zones?
>
>
>> On Jul 26, 2018, at 11:41 AM, Victoria Risk > > wrote:
>>
>> Does anyone know of a good tool that you can run on your DNS records
>> to find parent + child pairs where there is no NS record for the
>> child in the parent?
>>
>> Someone must have a perl script for that, right?
>>
>> Thank you for any suggestions.
>>
>> Vicky
>>
>>
If you want to do this validation with zone files, then text tools (e.g.
a Perl, awk, etc) are a reasonable approach.  It would not be
particularly difficult - though you do have to handle include files. 
Rather than working from zone files, the easiest approach is to do a dig
axfr to get the actual zone...

I tend to use dnsviz (http://dnsviz.net) and
zonemaster
(https://www.zonemaster.net/domain_check)
for consistency checking. 

I don't tend to have issues with internal views because of the tools
that I use to update my zones (they pretty
much ensure that mistakes made there will also show up externally :-(). 
So the web checkers are my tools of choice.

But both dnsviz and zonemaster
are on GitHub & can be run
internally.  Zonemaster is Perl; dnsviz is Python.  Zonemaster requires
a database (MySQL/MariaDB/PostgresSQL).  The web version of dnsviz is
graphic, and has accessibility issued.  Zonemaster is standard HTML &
more suitable if you use a screen reader.

dnsviz run locally has command line options that will do the analysis -
see the GitHub readme.

Both tools do extensive checks (dnsviz is oriented around DNSSEC, but
does many other checks).

It's a good idea to run one or the other regardless of this point
issue.  Actually - I run both.

Of course the usual caveats about stealth (unlisted) servers apply.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users