3

I have the following setup:

  • DNS-Server reachable from the internet, is authoritative for zone foo.com
  • DNS-Server reachable only locally, should be authoritative for zone test.lab.foo.com

What I try to achieve:

When a DNS query from the outside world reaches the first DNS server for a record belonging to the zone test.lab.foo.com, I want it to make a recursive request to the second DNS server and then forward the records.

I explicitly don't want to do zone transfers or make the second DNS server reachable from the internet.

my configuration looks like this: (I only copied the [what I think] important parts to here)

On the first DNS-Server

options {
    allow-recursion {
        localnets;
        localhost;
        internal;
        my-datacenter;
        mc-office;
    };
};

zone "test.lab.foo.com" {
        forward only;
        forwarders {
            <private IP of second DNS server>;
        };
        type forward;
    };

   zone "foo.com" {
        file "/etc/bind/zones/foo.com.zone";
        type master;
    };

My issue:

When I am in a local network, that is whitelisted in the allow-recursion block, then it works as expected. When I try the DNS lookup from the internet, then i get a NOERROR with an empty response back.

During debugging, I adjusted the allow-recursion list and added any to it. Then it was working. But I don't want my DNS server to allow any kind of recursion. I actually only want "outside" lookups for this one specific zones to be recursive.

How can I set allow-recursion for just one zone?

Racer
  • 201
  • 4
  • 7

1 Answers1

0

This can be solved using the following configuration, using c1.k8s.ooo as an example domain that is hosted on 2a0a:e5c0:2:f::a:

options {
    ...
    allow-recursion { ::/0; 0.0.0.0/0; };                                                        
};

zone "c1.k8s.ooo"  {                                                                             
   type forward;                                                                                 
   forward only;                                                                                 
   forwarders { 2a0a:e5c0:2:f::a; };                                                             
};       

zone "." {                                                                                       
        type hint;                                                                               
        file "/dev/null";                                                                        
};

What this does is the following:

  • It first turns bind into an Open Resolver (which is a bad thing)
  • We define the zone with the destination
  • Using the zone "." we delete the built in root hints support thus making bind unable to resolve anything, but the required domain.

Note that using something like

zone "." {                                                                                       
        type forward;                                                                            
        forward only;                                                                            
        forwarders { };                                                                          
};

does not stop recursion from outside, because bind has the root zone built in.

Nico Schottelius
  • 1
  • 1
  • Welcome to the site, Nico. Please do not "bump" posts on this site. Especially by creating an answer post that is _**not**_ an answer. Upvote the original question, _or_ create your own question with the specific details of your scenario (and what you tried/failed/researched/etc), _or_ post a comment if it's small enough to fit in a comment. Please do one or all of the above, and delete this "answer". Thank you. – C. M. Jul 26 '21 at 05:30
  • Thanks for the bump comment, however the solution above is an answer to the original question. For more details, see https://ungleich.ch/u/blog/how-to-configure-bind-dns-for-a-forward-zone-only/ – Nico Schottelius Jul 27 '21 at 06:15
  • Please read and understand the site's community guidelines. As it is, I am trying to give you guidance on how to use the site, rather than simply requesting deletion of your post. I gave you specific alternatives to try, so that your post does _not_ get deleted from the site. – C. M. Jul 27 '21 at 06:29