Project

General

Profile

Feature #340

Improve DNS security by using views

Added by rgmhtt about 11 years ago. Updated about 11 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
10/14/2009
Due date:
% Done:

0%


Description

Add views to the named.conf file, placing all current zones into an "internal" view. That is:

view "internal" {
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { hdanets; };
match-destinations { hdanets; };
recursion yes;

zone "home.com" IN {
type master;
notify no;
file "dynamic/hda-n2a.conf";
allow-update { key ddnskey; };
check-names ignore;
};

zone "1.168.192.in-addr.arpa" IN {
type master;
notify no;
file "dynamic/hda-a2n.conf";
allow-update { key ddnskey; };
check-names ignore;
};

};

Where hdanets is defined an earlier include:

include "/etc/named.acl";

which is placed prior to

options

named.acl should contain:

acl "hdanets" {
<network addr>/<CIDR size>; // eg 192.168.1.0/24
include "/etc/custom.acl";
};

and custom.acl should just have a comment. This allows a user to add other networks access to the view.

This prevents leakage of DNS to the public internet, and other networks at the user site as needed.

hdactl (24.9 KB) rgmhtt, 10/17/2009 08:18 PM

hdactl (25 KB) rgmhtt, 10/18/2009 10:12 AM

hdactl (25 KB) rgmhtt, 10/18/2009 12:53 PM

History

#1 Updated by rgmhtt about 11 years ago

I am attaching my /usr/bin/hdactl that has patches for this bug and for 336.

The changes to /etc/named.conf needs 3 include files:

/var/named/named.acl:

acl "hdanets" {
192.168.1.0/24; // hda network
include "custom.acl";
};

But I am having problems with line 3, the include. I have asked a question on the BIND users list and should know shortly what is wrong.

custom.acl by default is an empty file:

// Put your additional networks in here e.g.:
// 192.168.2.0;

Then there is custom-zone.conf which by default is an empty file. Here is mine, since I have another nameserver being the master of my TLD, "htt":

// put your custom zones here
//
zone "htt" {
type slave;
file "bak.htt";
masters {192.168.128.35; };
};

#2 Updated by rgmhtt about 11 years ago

I found out you cannot have an include inside an acl. I am working on an alternative approach for the custom.acl.

Meanwhile here is a newer hdactl that cleans up some tabbing in the view. No other changes.

#3 Updated by rgmhtt about 11 years ago

OK. I got custom.acl working by adding it in directly to /etc/named.conf.

I should warn you that there are other custom changes to the attached /usr/bin/hdactl so that you cannot directly use it. I changed the range for dhcpd by editing the values for dyn_lo and _hi and the number of the hosts in the zone files to reflect my small CIDR block, so only pull the changes for printing named.conf and the SOA, NS, and MX records.

Oh, the default custom.acl is:

acl "customnets" {
// e.g. 192.168.2.0/24;
};

You will have to add code to write named.acl with the proper network.

Also available in: Atom