Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
As a follow-up on the Secondary DNS article, I thought I
would write about how I created a private DNS. In this context, a private DNS is
restricted to certain sites or locations.
If you are this interested in DNS, I suggest
you purchase the DNS and Bind book. It's what I have and I
referred to it many times when writing this article.
Note: this method is simple and straight forward. But big sites do this
differently. See the last paragraph for more
information.
Zone setup
I wanted to make sure that people outside my LAN did not know what machines I had and
what the IP addresses were. So I started looking at how I could split my DNS into
two parts: public and private. Each of these two parts would be a separate zone.
The public zone will include things such as www, ftp, etc. In other words,
all the machines you want the public to know about. The private zone will include
the machines you don't want people to know about. This might include workstations,
secure servers, and generally anything which is not public.
For this example, we will be
using the domain yourdomain.org as an example. We will create a subdomain
priv.yourdomain.org which we will hide from everyone but our trusted friends.
The public zone
Here's the zone file for yourdomain.org as of 1999.07.08. Remember these points:
The name server is ns.yourdomain.org
You have an email address soa@yourdomain.org which is your contact for DNS issues.
199907051 shows that this zone file was last updated on 1999 July 5 and is the first
revision of that day.
Mail goes to mail.yourdomain.org.
Don't forget to change everything in bold to your own values.
$ cat db.yourdomain.org
@ IN SOA ns.yourdomain.org. soa.yourdomain.org. (
199907051 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
; name servers
IN NS ns.yourdomain.org.
IN MX 5 mail.yourdomain.org.
;
; Define the rest of my subnet
;
ns.yourdomain.org. IN A your.ns.ip.address
www.yourdomain.org. IN CNAME ns.yourdomain.org.
ftp.yourdomain.org. IN CNAME ns.yourdomain.org.
mail.yourdomain.org. IN CNAME ns.yourdomain.org.
The private zone
Here's the zone file for yourdomain.org as of 1999.07.08. Remember these points:
$ cat db.priv.yourdomain.org
@ IN SOA ns.yourdomain.org. soa.yourdomain.org. (
199907081 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
; name servers
IN NS ns.yourdomain.org.
$ORIGIN priv.yourdomain.org.
blueberry IN A 192.168.0.9
skidoo IN A 192.168.0.50
cobequid IN A 192.168.0.6
collingwood IN A 192.168.0.47
oxford IN A 192.168.0.46
springhill IN A 192.168.0.42
amherst IN A 192.168.0.44
If you can figure out the naming theme I used above, you get bonus points.
Basically, you have to figure out what the above names nave in common.
Answers/guesses should be added to the article comments.
The reverse lookup file
This file allows you to find out the name of the box from the IP address.
$ cat db.priv.yourdomain.org.rev
@ IN SOA ns.yourdomain.org. soa.yourdomain.org. (
199907081 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
; name servers
IN NS ns.yourdomain.org.
9 IN PTR blueberry
50 IN PTR skidoo
6 IN PTR cobequid
47 IN PTR collingwood
46 IN PTR oxford
42 IN PTR springhill
44 IN PTR amherst
named.conf
You will want to modify named.conf to use the above zone files.
Normally, this file is located in /etc/namedb, but you might find it in /etc/namedb.named.conf.
Here's what you need to add to use the above zone files:
zone "yourdomain.org" {
type master;
file "db.yourdomain.org";
};
zone "priv.yourdomain.org" {
type master;
file "db.priv.yourdomain.org";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "db.priv.yourdomain.org.rev";
};
What can be seen?
The object of this exercise is to restrict the access to the private section of your
domain. There are two types of things we want to prevent:
queries
zone transfers
A query can be performed with nslookup and is for a single host. A zone
transfer is used when someone wants to see everything in a particular zone. This can
also be done via nslookup or with host. Here are some examples of
what can be done with the above zone files if you don't make them secure.
# host -l -v -a yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
199907051 ;serial (version)
3600 ;refresh period
900 ;retry refresh this often
3600000 ;expiration period
3600 ;minimum TTL
)
yourdomain.org 3600 IN NS ns.yourdomain.org
yourdomain.org 3600 IN MX 5 mail.yourdomain.org
priv.yourdomain.org 3600 IN NS ns.yourdomain.org
mail.yourdomain.org 3600 IN CNAME ns.yourdomain.org
www.yourdomain.org 3600 IN CNAME ns.yourdomain.org
ns.yourdomain.org 3600 IN A 192.168.0.20
ftp.yourdomain.org 3600 IN CNAME ns.yourdomain.org
yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
199907051 ;serial (version)
3600 ;refresh period
900 ;retry refresh this often
3600000 ;expiration period
3600 ;minimum TTL
)
As you can see, people can see that your subdomain priv.yourdomain.org exists. So
it would be a simple process to do the following:
# host -l -v -a priv.yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
priv.yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
199907081 ;serial (version)
3600 ;refresh period
900 ;retry refresh this often
3600000 ;expiration period
3600 ;minimum TTL
)
priv.yourdomain.org 3600 IN NS ns.yourdomain.org
collingwood.priv.yourdomain.org 3600 IN A 192.168.0.47
amherst.priv.yourdomain.org 3600 IN A 192.168.0.44
oxford.priv.yourdomain.org 3600 IN A 192.168.0.46
cobequid.priv.yourdomain.org 3600 IN A 192.168.0.6
skidoo.priv.yourdomain.org 3600 IN A 192.168.0.50
springhill.priv.yourdomain.org 3600 IN A 192.168.0.42
blueberry.priv.yourdomain.org 3600 IN A 192.168.0.9
priv.yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
199907081 ;serial (version)
3600 ;refresh period
900 ;retry refresh this often
3600000 ;expiration period
3600 ;minimum TTL
)
# nslookup collingwood.priv.yourdomain.org
Server: localhost.yourdomain.org
Address: 127.0.0.1
Name: collingwood.priv.yourdomain.org
Address: 192.168.0.47
Restricting queries
We can restrict access to your private domain via queries with the following change to
named.conf. We do this by adding an allow-query clause to your zone
definition.
zone "priv.yourdomain.org" {
type master;
file "db.priv.yourdomain.org";
allow-query {
127.0.0.1/32; 192.168.0.0/24;
};
};
This modification will allow only the localhost and clients on the 192.168.0.* subnet
to query the domain priv.yourdomain.org. Queries from all other addresses will be
refused.
With this command in place, direct queries result in this:
The above attempt from outside my domain resulted in this entry in my log file:
ns named[104]: unapproved query from [210.55.152.247].1296 for
"collingwood.priv.yourdomain.org"
Restricting zone transfers
We can restrict access to your private domain via queries with the following change to
named.conf. We do this by adding an allow-transfer clause to your zone
definition.
zone "priv.yourdomain.org" {
type master;
file "db.priv.yourdomain.org";
allow-query {
127.0.0.1/32; 192.168.0.0/24;
};
allow-transfer {
127.0.0.1/32; 192.168.0.0/24;
};
};
As with the allow-query clause, this modification will allow only the
localhost and clients on the 192.168.0.* subnet to perform a zone transfer on the domain
priv.yourdomain.org. Transfer attempts from all other addresses will be refused.
If we now try the same command from before, we get this:
# host -l -v -a priv.yourdomain.org
Using domain server:
Name: some.other.domain
Address: 127.0.0.1
Trying your.ns.ip.address
Server failed: Query refused
This results in the following type of entry in your log files:
ns named[104]: unapproved AXFR from [some.other.domain].1101 for
"priv.yourdomain.org" (acl)
The above samples should work. If they don't, please let me know.
Please note
that this is a very simple solution. Big sites would hopefully not use this
method. Instead, they would split the two zones onto two name servers. One
name server would service requests coming from the outside (i.e. public requests).
The other name server would service requests coming from the inside (i.e. private
requests). But one day, I might try this approach. Right now I have enough
machines, but I can't be bothered at the moment.
