Re: Authoritative dns with private IP for hostname
On 07/30/2018 08:01 PM, Browne, Stuart via bind-users wrote: Be wary of DNAME's; they can be quite limited. ACK Here's an example from our old system: internal. 3600 IN SOA mgmt1.mel.internal.local. sysadmin.external.com.au. 2014051201 28800 14400 360 86400 internal. 3600 IN NS mgmt1.mel.internal.local. internal. 3600 IN NS mgmt1.syd.internal.local. internal. 3600 IN DNAME external.com.au. Which means internally we can look up "host.internal" and it will translate to "host.external.com.au". Thank you for the example Stuart. It's my understanding that DNAME si functionally like substituting the LHS (portion of the) QNAME of the RR with the RHS DNAME. I don't recall at the moment exactly how it's done. I think it may return both a DNAME and a fabricated CNAME. It's my understanding that the fabricated CNAME is a hack to support resolvers that don't understand DNAME. Can / will anyone correct my understanding? Thank you in advance. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Authoritative dns with private IP for hostname
Be wary of DNAME's; they can be quite limited. Here's an example from our old system: internal. 3600IN SOA mgmt1.mel.internal.local. sysadmin.external.com.au. 2014051201 28800 14400 360 86400 internal. 3600IN NS mgmt1.mel.internal.local. internal. 3600IN NS mgmt1.syd.internal.local. internal. 3600IN DNAME external.com.au. Which means internally we can look up "host.internal" and it will translate to "host.external.com.au". Stuart From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Elias Pereira Sent: Tuesday, 31 July 2018 10:06 AM To: Grant Taylor; bind-users@lists.isc.org Subject: Re: Authoritative dns with private IP for hostname Could you give me an example of how to do with DNAME? Em seg, 30 de jul de 2018 20:16, Grant Taylor via bind-users mailto:bind-users@lists.isc.org>> escreveu: On 07/30/2018 04:54 PM, Elias Pereira wrote: > Thanks to everyone that help me!!! You're welcome. > The Grant Taylor tuto works like a charm!!! :) I'm glad that it worked for you. Note: I call this technique "Apex Override". I believe the Apex Override technique can be used anywhere you want to selectively override a (single) FQDN. I suspect there are some more nefarious things that you can do with this, particularly if combined with DNAME. But I try to keep my hit a lighter shade of gray. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers=DwMFaQ=MOptNlVtIETeDALC_lULrw=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8=nupolP4thDlJODqxLEi-dEDhN8WVngTMx1q-ts6PxaA=E4pMIDm6PieL30gKBZtAGZE8Jedqx6UV_kvFvWxLdXE=> to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers=DwMFaQ=MOptNlVtIETeDALC_lULrw=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8=nupolP4thDlJODqxLEi-dEDhN8WVngTMx1q-ts6PxaA=E4pMIDm6PieL30gKBZtAGZE8Jedqx6UV_kvFvWxLdXE=> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
Could you give me an example of how to do with DNAME? Em seg, 30 de jul de 2018 20:16, Grant Taylor via bind-users < bind-users@lists.isc.org> escreveu: > On 07/30/2018 04:54 PM, Elias Pereira wrote: > > Thanks to everyone that help me!!! > > You're welcome. > > > The Grant Taylor tuto works like a charm!!! :) > > I'm glad that it worked for you. > > Note: I call this technique "Apex Override". > > I believe the Apex Override technique can be used anywhere you want to > selectively override a (single) FQDN. > > I suspect there are some more nefarious things that you can do with > this, particularly if combined with DNAME. But I try to keep my hit a > lighter shade of gray. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
On 07/30/2018 04:54 PM, Elias Pereira wrote: Thanks to everyone that help me!!! You're welcome. The Grant Taylor tuto works like a charm!!! :) I'm glad that it worked for you. Note: I call this technique "Apex Override". I believe the Apex Override technique can be used anywhere you want to selectively override a (single) FQDN. I suspect there are some more nefarious things that you can do with this, particularly if combined with DNAME. But I try to keep my hit a lighter shade of gray. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
Thanks to everyone that help me!!! The Grant Taylor tuto works like a charm!!! :) On Fri, Jul 27, 2018 at 7:12 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 07/27/2018 09:59 AM, Elias Pereira wrote: > > hello, > > Hi, > > > Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname, > > example, wordpress.mydomain.tdl with a private IP? > > Yes, an authoritative DNS server can have a private > (non-globally-routed) IP address in the zone data. > > However, there is a catch. > > > Would this be accessible from the internet via hostname, if I did a nat > > on the firewall? > > It would (extremely likely) ONLY be accessible from the private > (non-globally-routed) LAN. Even that wouldn't require NAT because > clients would be on the LAN and access it directly without passing > through the NAT router. > > I don't think this will do what (I'm guessing) you want to do. > > I suspect you want to have a server with a private IP be accessible via > domain name from outside the network. > > To do this, do the following things: > > 1) Enter the outside static IP address of the NAT in DNS for the hostname. > 2) Configure NAT to (port) forward the traffic you are interested in > from the outside into the server's internal IP. > > This will allow the world to access the service(s) in question. > > To help the internal clients, set up an additional DNS zone (that is > only accessed by internal clients) that is the FQDN of the hostname and > put an A / record in the zone's apex that resolves to the internal IP. > > ; > ; External / Global / Public DNS zone file for example.net > ; > $ORIGIN example.net. > ... > myservice IN A 203.0.113.123 > > > > ; > ; Internal / Private DNS zone file for service.example.net > ; > $ORIGIN myservice.example.net. > IN A 192.168.1.234 > > > This will cause the world to resolve myservice.example.net. to > 203.0.113.123 and clients inside the LAN to resolve > myservice.example.net. to 192.168.1.234. > > I'm assuming that NAT is configured to port forward the desired ports > for 203.0.113.123 to 192.168.1.234. > > I think this will do what I think you are wanting to do. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
On 07/27/2018 09:59 AM, Elias Pereira wrote: hello, Hi, Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname, example, wordpress.mydomain.tdl with a private IP? Yes, an authoritative DNS server can have a private (non-globally-routed) IP address in the zone data. However, there is a catch. Would this be accessible from the internet via hostname, if I did a nat on the firewall? It would (extremely likely) ONLY be accessible from the private (non-globally-routed) LAN. Even that wouldn't require NAT because clients would be on the LAN and access it directly without passing through the NAT router. I don't think this will do what (I'm guessing) you want to do. I suspect you want to have a server with a private IP be accessible via domain name from outside the network. To do this, do the following things: 1) Enter the outside static IP address of the NAT in DNS for the hostname. 2) Configure NAT to (port) forward the traffic you are interested in from the outside into the server's internal IP. This will allow the world to access the service(s) in question. To help the internal clients, set up an additional DNS zone (that is only accessed by internal clients) that is the FQDN of the hostname and put an A / record in the zone's apex that resolves to the internal IP. ; ; External / Global / Public DNS zone file for example.net ; $ORIGIN example.net. ... myservice IN A 203.0.113.123 ; ; Internal / Private DNS zone file for service.example.net ; $ORIGIN myservice.example.net. IN A 192.168.1.234 This will cause the world to resolve myservice.example.net. to 203.0.113.123 and clients inside the LAN to resolve myservice.example.net. to 192.168.1.234. I'm assuming that NAT is configured to port forward the desired ports for 203.0.113.123 to 192.168.1.234. I think this will do what I think you are wanting to do. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
In summary, all of the advice you received on this thread regarding the publishing of private IPs in DNS is correct: • As I told you, on a purely practical level, it won't work because private addresses aren't routable on the Internet. • As Kevin told you, there are myriad security ramifications, as everyone and no one controls routing of private addresses locally. • As Timothe told you, views can be used effectively, though as things scale up, your ability to use views will hinge on your ability to manage them. To provide service to the Internet, you need a public IP. It may be that we misunderstood the wording of your question. If your actual question was "can I publish a public IP in DNS and NAT it to a private IP behind my firewall", then of course the answer is "yes". Otherwise, trust the given advice. -- Greg Rivers ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
On 27-Jul-18 11:59, Elias Pereira wrote: > hello, > > Can an authoritative dns for a domain, eg mydomain.tdl, have a > hostname, example, wordpress.mydomain.tdl with a private IP? > > Would this be accessible from the internet via hostname, if I did a > nat on the firewall? > > -- > Elias Pereira No. Two issues seem to be conflated here. For DNS, what you probably want is a setup with views; that way the site will resolve to the private IP address from inside your site, but to the external address from outside. For making your servers accessible, NAT will probably be necessary for the webserver and the DNS server inside your firewall to be accessible from outside. Your secondary DNS servers are required to be geographically separate. So either you have another location with a firewall (where you again NAT), or you use a secondary DNS service. Views are in the bind ARM, and have been discussed on this list before. There are some middleboxes (among them Cisco Routers) that do attempt to rewrite DNS records on the fly in a NAT like fashion. Stay away from those. They tend to break things in the best of circumstances, and absolutely break DNSSEC. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Authoritative dns with private IP for hostname
RFC 1918 forbade the publishing of private addresses outside of the enterprise: "Indirect references to [private] addresses should be contained within the enterprise. Prominent examples of such references are DNS Resource Records and other information referring to internal private addresses. In particular, Internet service providers should take measures to prevent such leakage." Having said that, however, BIND doesn't prevent you publishing such addresses to the Internet, since it doesn't really know -- *cannot* know, in advance -- whether the data is going to be queried from the Internet or not. I'm not aware of ISPs that filter customer DNS traffic for RFC 1918 addresses either. As Greg pointed out, the addresses aren't going to be routable anyway, but even in the absence of routability, there are Information Security concerns: if someone -- let's call them a business partner -- trusts your DNS *domain*, and you publish private addresses associated with names in that domain, then a malicious actor could potentially exploit that trust to gain access to the business partner's resources, e.g. trick their browser into connecting to an internal resource on their network, that happens to have the same private address as what you published. Business partner trusts example.com (your domain), nat.example.com resolves to 10.1.1.1, malicious actor redirects a website reference to nat.example.com (which you trust) and this gives them unintentional, unauthorized access to 10.1.1.1 on business partner's network. The basic Information Security problem with private addresses is that they are *non-unique*. This introduces ambiguity, and ambiguity produces surprises and can be exploited. Best to keep everything to do with private addresses and private namespaces within your own organization (and yes, I understand the general trend towards "eliminating the perimeter", but this needs to be done in a methodical, careful way). - Kevin -Original Message- From: bind-users On Behalf Of Greg Rivers Sent: Friday, July 27, 2018 12:07 PM To: Elias Pereira Cc: bind-users@lists.isc.org Subject: Re: Authoritative dns with private IP for hostname On Friday, July 27, 2018 12:59:42 Elias Pereira wrote: > Can an authoritative dns for a domain, eg mydomain.tdl, have a > hostname, example, wordpress.mydomain.tdl with a private IP? > Yes, but that won't be useful outside of your LAN. > Would this be accessible from the internet via hostname, if I did a > nat on the firewall? > No, by definition, private addresses are not routable on the Internet. -- Greg Rivers ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative dns with private IP for hostname
On Friday, July 27, 2018 12:59:42 Elias Pereira wrote: > Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname, > example, wordpress.mydomain.tdl with a private IP? > Yes, but that won't be useful outside of your LAN. > Would this be accessible from the internet via hostname, if I did a nat on > the firewall? > No, by definition, private addresses are not routable on the Internet. -- Greg Rivers ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Authoritative dns with private IP for hostname
hello, Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname, example, wordpress.mydomain.tdl with a private IP? Would this be accessible from the internet via hostname, if I did a nat on the firewall? -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users