Re: Forward zone inside a view

Grant Taylor via bind-users wrote: > > I know it's not yet an option and won't yet work for Roberto C., but would > BIND's forthcoming "mirror" zone type change any of this? No. Tony. -- f.anthony.n.finchhttp://dotat.at/ safeguard the balance of nature and the environment __

Re: Forward zone inside a view

Controlling DNS resolution isn't the panacea for all security challenges, but then neither is a firewall. Or IPS. Or DLP. Or blacklisting/whitelisting. Or restrictive routing. Or NAT'ing. But some combination of those can be part of an overall security strategy. Defense in depth. - Kevin On Tue,

Re: Forward zone inside a view

All these replies are correct in the details (as usual), but miss the point. Blocking name resolution, while popular, does not meet the OP's requirement: "The point is I have several desktops that *must* have access **only** to internal domains.*" Let's say that your client's favorite illicit si

Re: Forward zone inside a view

On 02/12/2019 03:45 PM, Kevin Darcy wrote: "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instance. I know it's not yet an option and won't yet work f

Re: Forward zone inside a view

On 02/07/2019 07:02 PM, Paul Kosinski wrote: I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolv

Re: Forward zone inside a view

Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as "type forward". "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instan

Re: Forward zone inside a view

Hello. Am Donnerstag, den 07.02.2019, 10:32 -0300 schrieb Roberto Carna: > Dear, I have Bind 9.10.3 as our private DNS service with two views, > one of them let some clients to query linux.org domain from Internet > forwarding the query to our Bind resolvers, but the query is refused > by our priv

Re: Forward zone inside a view

On 11-Feb-19 08:38, Roberto Carna wrote: > The point is I have several desktops that must have access only to > internal domains. The unique exception is they have access to > teamviewer.com   in order to download the > Teamviewer client and a pair of operations in this publ

Re: Forward zone inside a view

Matus, I've followed whatyou say: view "internet" { match-clients { internet_clients; key "pnet"; }; recursion yes; zone "teamviewer.com" { type forward; forward only; forwarders { 8.8.8.8; }; }; }; but clients can resolve ANY public Internet

Re: Forward zone inside a view

On 11.02.19 10:38, Roberto Carna wrote: Dear Mathus, thanks al lot for your help. what is the point of running DNS server with only two hostnames allowed to resolve? The point is I have several desktops that must have access only to internal domains. The unique exception is they have access t

Re: Forward zone inside a view

Dear Mathus, thanks al lot for your help. >> what is the point of running DNS server with only two hostnames allowed to >> resolve? The point is I have several desktops that must have access only to internal domains. The unique exception is they have access to teamviewer.com in order to download

Re: Forward zone inside a view

On 07.02.19 16:30, Roberto Carna wrote: Desktops I mentioned can only access to web apps from internal domains, but in some web apps there are links to download Teamviewer client software from Internet. I can create a private zone "teamviewer.com" with all the hostnames and IP's we will use, but

Re: Forward zone inside a view

I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolved by your internal DNS to a specialized proxy se

Re: Forward zone inside a view

On 2/7/19 2:30 PM, Roberto Carna wrote: > Dear, thanks for your contact. I've used teamviewer.com > just for tests. > > Desktops I mentioned can only access to web apps from internal domains, > but in some web apps there are links to download Teamviewer client > software fr

Re: Forward zone inside a view

Dear, thanks for your contact. I've used teamviewer.com just for tests. Desktops I mentioned can only access to web apps from internal domains, but in some web apps there are links to download Teamviewer client software from Internet. I can create a private zone "teamviewer.com" with all the hostn

Re: Forward zone inside a view

On 07.02.19 14:58, Roberto Carna wrote: In our company we have several desktops from two different cities accessing only to internal domains distributed in two views in a private BIND with authoritative zones, where I've defined "recursion no;". But now we have to let them access to *.teamviewer

Re: Forward zone inside a view

Ok Tony, please let me explain to you. In our company we have several desktops from two different cities accessing only to internal domains distributed in two views in a private BIND with authoritative zones, where I've defined "recursion no;". But now we have to let them access to *.teamviewer.c

Re: Forward zone inside a view

Roberto Carna wrote: > > So how can I define "recursion yes" just for the zone "linux.org" ??? You can turn recursion on and off for the entire server, or per view, but not per zone. It isn't clear to me what you want this server to do. If it is providing DNS service to end-user devices (if it i

Re: Forward zone inside a view

When I query www.teamviewer from a desktop, I fail and get this error in dig: WARNING: recursion requested but not available In BIND I have in named.conf.local: zone "linux. org" { type forward; forwarders { 172.18.1.1; 172

Re: Forward zone inside a view

Tony, as you said forwarding requires recursion but when I define: zone "linux. org" { recursion yes; type forward; forward only; forwarders { 172.18.1.1; 172.18.1.2; }; and after that I restart bind9

Re: Forward zone inside a view

Roberto Carna wrote: > Dear Tony, I forward the "linux.org" queries from our private Bind to our > Bind resolvers (they have authoritative public zones and also they are > resolvers that forward the queries to 8.8.8.8). > > So why you say they are authoritative only servers? Oh, I misread your e

Re: Forward zone inside a view

Dear Tony, I forward the "linux.org" queries from our private Bind to our Bind resolvers (they have authoritative public zones and also they are resolvers that forward the queries to 8.8.8.8). So why you say they are authoritative only servers? A I said, can I still use the forward option for "li

Re: Forward zone inside a view

Roberto Carna wrote: > Dear, I have Bind 9.10.3 as our private DNS service with two views, one of > them let some clients to query linux.org domain from Internet forwarding > the query to our Bind resolvers, but the query is refused by our private > Bind. You can't forward to an authoritative-on

Forward zone inside a view

Dear, I have Bind 9.10.3 as our private DNS service with two views, one of them let some clients to query linux.org domain from Internet forwarding the query to our Bind resolvers, but the query is refused by our private Bind. The private Bind has these main parameters in named.conf.options: opti