Re: Forward zone does not work when allow recursive is restrictive

This is very similar to what I wanted to do some time ago, but concluded this is not possible with bind. But, I've modified bind in order to be able to do that anyway. The trick was to use a "static-stub" zone with a small modification in bind code. In my bind-9.16.6, I modified file query.c

Re: Forward zone does not work when allow recursive is restrictive

“forward” does not mean “proxy". Additionally servers out on the internet make iterative queries. They are non-recursive *AND* follow delegations. Making a proxy work is more that just relaying the request and the response. BIND does not support proxying other servers. > On 10 Feb 2021, at 0

Re: Forward zone inside a view

Grant Taylor via bind-users wrote: > > I know it's not yet an option and won't yet work for Roberto C., but would > BIND's forthcoming "mirror" zone type change any of this? No. Tony. -- f.anthony.n.finchhttp://dotat.at/ safeguard the balance of nature and the environment __

Re: Forward zone inside a view

Controlling DNS resolution isn't the panacea for all security challenges, but then neither is a firewall. Or IPS. Or DLP. Or blacklisting/whitelisting. Or restrictive routing. Or NAT'ing. But some combination of those can be part of an overall security strategy. Defense in depth. - Kevin On Tue,

Re: Forward zone inside a view

All these replies are correct in the details (as usual), but miss the point. Blocking name resolution, while popular, does not meet the OP's requirement: "The point is I have several desktops that *must* have access **only** to internal domains.*" Let's say that your client's favorite illicit si

Re: Forward zone inside a view

On 02/12/2019 03:45 PM, Kevin Darcy wrote: "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instance. I know it's not yet an option and won't yet work f

Re: Forward zone inside a view

On 02/07/2019 07:02 PM, Paul Kosinski wrote: I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolv

Re: Forward zone inside a view

Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as "type forward". "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instan

Re: Forward zone inside a view

Hello. Am Donnerstag, den 07.02.2019, 10:32 -0300 schrieb Roberto Carna: > Dear, I have Bind 9.10.3 as our private DNS service with two views, > one of them let some clients to query linux.org domain from Internet > forwarding the query to our Bind resolvers, but the query is refused > by our priv

Re: Forward zone inside a view

On 11-Feb-19 08:38, Roberto Carna wrote: > The point is I have several desktops that must have access only to > internal domains. The unique exception is they have access to > teamviewer.com   in order to download the > Teamviewer client and a pair of operations in this publ

Re: Forward zone inside a view

Matus, I've followed whatyou say: view "internet" { match-clients { internet_clients; key "pnet"; }; recursion yes; zone "teamviewer.com" { type forward; forward only; forwarders { 8.8.8.8; }; }; }; but clients can resolve ANY public Internet

Re: Forward zone inside a view

On 11.02.19 10:38, Roberto Carna wrote: Dear Mathus, thanks al lot for your help. what is the point of running DNS server with only two hostnames allowed to resolve? The point is I have several desktops that must have access only to internal domains. The unique exception is they have access t

Re: Forward zone inside a view

Dear Mathus, thanks al lot for your help. >> what is the point of running DNS server with only two hostnames allowed to >> resolve? The point is I have several desktops that must have access only to internal domains. The unique exception is they have access to teamviewer.com in order to download

Re: Forward zone inside a view

On 07.02.19 16:30, Roberto Carna wrote: Desktops I mentioned can only access to web apps from internal domains, but in some web apps there are links to download Teamviewer client software from Internet. I can create a private zone "teamviewer.com" with all the hostnames and IP's we will use, but

Re: Forward zone inside a view

I haven't analyzed the details and pitfalls, but could a Web proxy mechanism of some sort be of help? In particular, rather than having your users directly access "teamviewer.org" (or whatever), have them to access "teamviewer.local", which is resolved by your internal DNS to a specialized proxy se

Re: Forward zone inside a view

On 2/7/19 2:30 PM, Roberto Carna wrote: > Dear, thanks for your contact. I've used teamviewer.com > just for tests. > > Desktops I mentioned can only access to web apps from internal domains, > but in some web apps there are links to download Teamviewer client > software fr

Re: Forward zone inside a view

Dear, thanks for your contact. I've used teamviewer.com just for tests. Desktops I mentioned can only access to web apps from internal domains, but in some web apps there are links to download Teamviewer client software from Internet. I can create a private zone "teamviewer.com" with all the hostn

Re: Forward zone inside a view

On 07.02.19 14:58, Roberto Carna wrote: In our company we have several desktops from two different cities accessing only to internal domains distributed in two views in a private BIND with authoritative zones, where I've defined "recursion no;". But now we have to let them access to *.teamviewer

Re: Forward zone inside a view

Ok Tony, please let me explain to you. In our company we have several desktops from two different cities accessing only to internal domains distributed in two views in a private BIND with authoritative zones, where I've defined "recursion no;". But now we have to let them access to *.teamviewer.c

Re: Forward zone inside a view

Roberto Carna wrote: > > So how can I define "recursion yes" just for the zone "linux.org" ??? You can turn recursion on and off for the entire server, or per view, but not per zone. It isn't clear to me what you want this server to do. If it is providing DNS service to end-user devices (if it i

Re: Forward zone inside a view

When I query www.teamviewer from a desktop, I fail and get this error in dig: WARNING: recursion requested but not available In BIND I have in named.conf.local: zone "linux. org" { type forward; forwarders { 172.18.1.1; 172

Re: Forward zone inside a view

Tony, as you said forwarding requires recursion but when I define: zone "linux. org" { recursion yes; type forward; forward only; forwarders { 172.18.1.1; 172.18.1.2; }; and after that I restart bind9

Re: Forward zone inside a view

Roberto Carna wrote: > Dear Tony, I forward the "linux.org" queries from our private Bind to our > Bind resolvers (they have authoritative public zones and also they are > resolvers that forward the queries to 8.8.8.8). > > So why you say they are authoritative only servers? Oh, I misread your e

Re: Forward zone inside a view

Dear Tony, I forward the "linux.org" queries from our private Bind to our Bind resolvers (they have authoritative public zones and also they are resolvers that forward the queries to 8.8.8.8). So why you say they are authoritative only servers? A I said, can I still use the forward option for "li

Re: Forward zone inside a view

Roberto Carna wrote: > Dear, I have Bind 9.10.3 as our private DNS service with two views, one of > them let some clients to query linux.org domain from Internet forwarding > the query to our Bind resolvers, but the query is refused by our private > Bind. You can't forward to an authoritative-on

Re: forward zone

Le 27/10/2018 à 14:13, Matus UHLAR - fantomas a écrit : On 27.10.18 13:53, Frédéric Lochon wrote: This is what I wanted to do. But allow-query and allow-recursion are not allowed inside a zone of type forward. aha. I haven't looked at possibbility of allow-recursion for "type forward" zone.

Re: forward zone

On 26.10.18 00:12, Frédéric Lochon wrote: Today, I just set-up a new zone of type "forward" but I have trouble to make it work properly: - my home network is allowed to send queries because it is "trusted" - nobody from outside my home network is allowed to send queries because it is not "trust

Re: forward zone

Le 26/10/2018 à 09:21, Matus UHLAR - fantomas via bind-users a écrit : On 26.10.18 00:12, Frédéric Lochon wrote: Today, I just set-up a new zone of type "forward" but I have trouble to make it work properly: - my home network is allowed to send queries because it is "trusted" - nobody from outs

Re: forward zone

On 26.10.18 00:12, Frédéric Lochon wrote: I'm new to this list, but I use BIND for quite some time. I have a machine running BIND which is authoritative for some domains I own and is the nameserver for my home network. Thus: - BIND answers to any query from my home network - BIND answers to q

RE: Forward zone not working

> -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas > Sent: Saturday, May 21, 2016 1:27 PM > To: bind-users@lists.isc.org > Subject: Re: Forward zone not working > > On 2

RE: Forward zone not working

> -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas > Sent: Saturday, May 21, 2016 1:16 PM > To: bind-users@lists.isc.org > Subject: Re: Forward zone not working > > >

RE: Forward zone not working

> -Original Message- > From: MegaBrutal [mailto:megabru...@gmail.com] > Sent: Friday, May 20, 2016 9:11 PM > To: Woodworth, John R; bind-users > Subject: Re: Forward zone not working > > 2016-05-20 23:09 GMT+02:00 Woodworth, John R : > > The below refere

Re: Forward zone not working

On 20.05.16 21:09, Woodworth, John R wrote: This is exactly what some colleagues and I are working to get a handle on. We see this as becoming a larger and larger issue especially as IPv6 adoption increases. We have had several customers already request generics at /96 and larger blocks as they

Re: Forward zone not working

2016-05-20 23:09 GMT+02:00 Woodworth, John R : The below referenced I-D for "BULK" records: * Provides "generics" which are automatically generated based on a set of rules. * The records have similar features as wildcards where they may be superimposed an appear only where more specific

Re: Forward zone not working

2016-05-20 23:09 GMT+02:00 Woodworth, John R : > The below referenced I-D for "BULK" records: > * Provides "generics" which are automatically generated based on a set of > rules. > * The records have similar features as wildcards where they may be > superimposed > an appear only where mor

RE: Forward zone not working

> -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] > On Behalf Of John Wobus > Sent: Friday, May 20, 2016 3:08 PM > To: bind-users > Subject: Re: Forward zone not working > > On May 16, 2016, at

Re: Forward zone not working

On May 16, 2016, at 5:35 PM, MegaBrutal wrote: > > 2016-05-16 19:45 GMT+02:00 Alan Clegg : >> On 5/16/16, 1:30 PM, "MegaBrutal" > behalf of megabru...@gmail.com> wrote: >> >>> I want to have valid reverse & forward hostnames set up >>> for this /64 subnet. >> >> This is silly. Don't do this. >

Re: Forward zone not working

On 17 May 2016 at 09:29, Woodworth, John R wrote: > > > > > >Ideally every machine should be registering its own PTR record in the > > > >DNS and addresses without machines shouldn't have PTR records. > > > >The only reason ISP did this is that they were too lazy to manage PTR > > > >records for

RE: Forward zone not working

> > > >Ideally every machine should be registering its own PTR record in the > > >DNS and addresses without machines shouldn't have PTR records. > > >The only reason ISP did this is that they were too lazy to manage PTR > > >records for their customers. > > > > And because no ISP wants "you.suck.is

Re: Forward zone not working

> >Ideally every machine should be registering its own PTR record in > >the DNS and addresses without machines shouldn't have PTR records. > >The only reason ISP did this is that they were too lazy to manage > >PTR records for their customers. > > And because no ISP wants "you.suck.isp.com" to sho

Re: Forward zone not working

In message , Alan Clegg writes: > On 5/16/16, 6:30 PM, "Mark Andrews" wrote: > > >Ideally every machine should be registering its own PTR record in > >the DNS and addresses without machines shouldn't have PTR records. > >The only reason ISP did this is that they were too lazy to manage > >PTR re

Re: Forward zone not working

On 5/16/16, 6:30 PM, "Mark Andrews" wrote: >Ideally every machine should be registering its own PTR record in >the DNS and addresses without machines shouldn't have PTR records. >The only reason ISP did this is that they were too lazy to manage >PTR records for their customers. And because no IS

Re: Forward zone not working

In message , MegaBrutal writes: > 2016-05-16 19:45 GMT+02:00 Alan Clegg : > > On 5/16/16, 1:30 PM, "MegaBrutal" > behalf of megabru...@gmail.com> wrote: > > > >>I want to have valid reverse & forward hostnames set up > >>for this /64 subnet. > > > > This is silly. Don't do this. > > Why? > >

Re: Forward zone not working

On 5/16/16, 5:35 PM, "MegaBrutal" wrote: >2016-05-16 19:45 GMT+02:00 Alan Clegg : >> On 5/16/16, 1:30 PM, "MegaBrutal" > behalf of megabru...@gmail.com> wrote: >> >>>I want to have valid reverse & forward hostnames set up >>>for this /64 subnet. >> >> This is silly. Don't do this. > >Why? Becau

Re: Forward zone not working

2016-05-16 19:45 GMT+02:00 Alan Clegg : > On 5/16/16, 1:30 PM, "MegaBrutal" behalf of megabru...@gmail.com> wrote: > >>I want to have valid reverse & forward hostnames set up >>for this /64 subnet. > > This is silly. Don't do this. Why? Most ISPs set up reverse & forward domain names for pool a

Re: Forward zone not working

Temporarily I enabled recursion on the server and then the forward zone worked well. Now, if I could enable recursion for a specific zone only, then I won. Do you have an idea how to do this? I only see options to restrict recursion for clients. Now I want to control recursion by query (which doma

Re: Forward zone not working

If you want to delegate space to another server DELEGATE it. Add NS records for the other server. Forward "zones" are NOT designed to do this. Doing actual delegations is *not* hard and works with every server in the world. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Aus

RE: Forward zone not working

> -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MegaBrutal > Sent: Monday, May 16, 2016 1:31 PM > To: bind-users@lists.isc.org > Subject: Forward zone not working > > Hi all, > > I have an IPv6 reverse PTR zone for a /4

Re: Forward zone not working

On 5/16/16, 1:30 PM, "MegaBrutal" wrote: >I want to have valid reverse & forward hostnames set up >for this /64 subnet. This is silly. Don't do this. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this

Re: Forward zone not working

On Mon, May 16, 2016 at 07:30:30PM +0200, MegaBrutal wrote: > zone "y.y.y.y.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa" { > type forward; > forward only; > forwarders { ::; }; // IPv6 address of AllKnowingDNS. > }; > > Where x substitutes digits of my /48, y substitutes digits of my > /

Re: Forward zone giving SERVFAIL

In message <000701ceebe9$cf91f6c0$6eb5e440$@JAMMConsulting.com>, "Neil Aggarwal" writes: > Hello: > > I set up a forward zone in the internal view of my named.conf: > > view internal { > match-clients { > 127.0.0.1; > }; > recursion yes; >

Re: Forward zone giving SERVFAIL

IIRC "forward" means ask the forwarder to do a recursive lookup. If the server you forward to does not do recursion, there is a problem here. I think the advice is to look at stub zones, they might be useful here. On 28/11/13 16.50, Neil Aggarwal wrote: > Dave: > >> This is a shot in the dark, bu

RE: Forward zone giving SERVFAIL

Dave: > This is a shot in the dark, but is your server carrying a root zone or > using hints? I vaguely recall running into similar a few weeks back when Bind complained about the pre-defined zones not being in a view when I added my views so I removed them. I added the following to my /var/nam

Re: Forward zone giving SERVFAIL

On 2013-11-27 19:27, Neil Aggarwal wrote: Anyone have any ideas? This is a shot in the dark, but is your server carrying a root zone or using hints? I vaguely recall running into similar a few weeks back when rolling out a new mail server, it turned out that the server was configured as a ro

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

Thanks Luc, I think I understand now! The TLD for my domain has become .test therefor the secondary level domain becomes sgd so inevitably the ns must be ns-m.sgd.test then. and zone should be called sgd then?? ___ bind-users mailing list bin

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

Luc I. Suryo wrote: you have to become auth for the .test and then in that zone define the subdomain's NS make sense? nb: old company we had .prv for internal use :) -ls Thanks Luc, I think I understand now! The TLD for my domain has become .test therefor the secondary level domain bec

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

Am I right in assuming this?? Otherwise, with my setup taking an example of google.com - I was trying to use the .com with the .test where I actually wanted to use the .test as the secondary level domain of google but not append a TLD to it. I think this is against all DNS rules no??

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

No, that won't work. The names in the zone file are all under "domain.com", but you're trying to load the zone as simply "domain", which is not in the same naming hierarchy; in fact it's a completely different TLD (top-level domain). As well as setting the default $ORIGIN, the name of a zone

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

Kaya Saman wrote: Kevin Darcy wrote: If you're loading a zone as "sgd.test", then an owner name of ns-m.test doesn't belong in it, and BIND is correct to reject it. Either change that name to something under sgd.test, or set up a separate zone for ns-m.test or anything above that in the hiera

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

Kevin Darcy wrote: If you're loading a zone as "sgd.test", then an owner name of ns-m.test doesn't belong in it, and BIND is correct to reject it. Either change that name to something under sgd.test, or set up a separate zone for ns-m.test or anything above that in the hierarchy (i.e. "test"

Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??

If you're loading a zone as "sgd.test", then an owner name of ns-m.test doesn't belong in it, and BIND is correct to reject it. Either change that name to something under sgd.test, or set up a separate zone for ns-m.test or anything above that in the hierarchy (i.e. "test" or root). I don't