The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

Private DNS 8 July 1999
Need more help on this topic? Click here
This article has 2 comments
Show me similar articles
As a follow-up on the Secondary DNS article, I thought I would write about how I created a private DNS.  In this context, a private DNS is restricted to certain sites or locations.

If you are this interested in DNS, I suggest you purchase the DNS and Bind book.  It's what I have and I referred to it many times when writing this article.

Note: this method is simple and straight forward.  But big sites do this differently.  See the last paragraph for more information.

Zone setup
I wanted to make sure that people outside my LAN did not know what machines I had and what the IP addresses were.  So I started looking at how I could split my DNS into two parts: public and private.  Each of these two parts would be a separate zone.   The public zone will include things such as www, ftp, etc.  In other words, all the machines you want the public to know about.  The private zone will include the machines you don't want people to know about.  This might include workstations, secure servers, and generally anything which is not public.

For this example, we will be using the domain yourdomain.org as an example. We will create a subdomain priv.yourdomain.org which we will hide from everyone but our trusted friends.

The public zone
Here's the zone file for yourdomain.org as of 1999.07.08.  Remember these points:
  • The name server is ns.yourdomain.org
  • You have an email address soa@yourdomain.org which is your contact for DNS issues.
  • 199907051 shows that this zone file was last updated on 1999 July 5 and is the first revision of that day.
  • Mail goes to mail.yourdomain.org.
  • Don't forget to change everything in bold to your own values.
$ cat db.yourdomain.org
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907051       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
                IN      MX      5       mail.yourdomain.org.
;
; Define the rest of my subnet
;

ns.yourdomain.org.              IN A            your.ns.ip.address

www.yourdomain.org.             IN CNAME        ns.yourdomain.org.
ftp.yourdomain.org.             IN CNAME        ns.yourdomain.org.
mail.yourdomain.org.            IN CNAME	ns.yourdomain.org.
The private zone
Here's the zone file for yourdomain.org as of 1999.07.08.  Remember these points:
$ cat db.priv.yourdomain.org
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907081       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
$ORIGIN priv.yourdomain.org.

blueberry                       IN      A               192.168.0.9
skidoo                          IN      A               192.168.0.50
cobequid                        IN      A               192.168.0.6
collingwood                     IN      A               192.168.0.47
oxford                          IN      A               192.168.0.46
springhill                      IN      A               192.168.0.42
amherst                         IN      A               192.168.0.44

If you can figure out the naming theme I used above, you get bonus points.   Basically, you have to figure out what the above names nave in common.   Answers/guesses should be added to the article comments.

The reverse lookup file
This file allows you to find out the name of the box from the IP address.
$ cat db.priv.yourdomain.org.rev
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907081       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
9       IN      PTR     blueberry
50      IN      PTR     skidoo
6       IN      PTR     cobequid
47      IN      PTR     collingwood
46      IN      PTR     oxford
42      IN      PTR     springhill
44      IN      PTR     amherst
named.conf
You will want to modify named.conf to use the above zone files.   Normally, this file is located in /etc/namedb, but you might find it in /etc/namedb.named.conf.   Here's what you need to add to use the above zone files:
zone "yourdomain.org" {
        type master;
        file "db.yourdomain.org";
        };

zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        };

zone "0.168.192.in-addr.arpa" {
        type master;
        file "db.priv.yourdomain.org.rev";
        };
What can be seen?
The object of this exercise is to restrict the access to the private section of your domain.  There are two types of things we want to prevent:
  • queries
  • zone transfers

A query can be performed with nslookup and is for a single host.  A zone transfer is used when someone wants to see everything in a particular zone.  This can also be done via nslookup or with host.  Here are some examples of what can be done with the above zone files if you don't make them secure.

# host -l -v -a yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
yourdomain.org  3600 IN SOA     ns.yourdomain.org soa.yourdomain.org(
                        199907051       ;serial (version)
                        3600            ;refresh period
                        900             ;retry refresh this often
                        3600000         ;expiration period
                        3600            ;minimum TTL
                        )
yourdomain.org  3600 IN NS      ns.yourdomain.org
yourdomain.org  3600 IN MX      5 mail.yourdomain.org
priv.yourdomain.org     3600 IN NS      ns.yourdomain.org
mail.yourdomain.org     3600 IN CNAME   ns.yourdomain.org
www.yourdomain.org      3600 IN CNAME   ns.yourdomain.org
ns.yourdomain.org       3600 IN A       192.168.0.20
ftp.yourdomain.org      3600 IN CNAME   ns.yourdomain.org
yourdomain.org  3600 IN SOA     ns.yourdomain.org soa.yourdomain.org(
                        199907051       ;serial (version)
                        3600    ;refresh period
                        900     ;retry refresh this often
                        3600000 ;expiration period
                        3600    ;minimum TTL
                        )

As you can see, people can see that your subdomain priv.yourdomain.org exists.  So it would be a simple process to do the following:

# host -l -v -a priv.yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
priv.yourdomain.org  3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
                     199907081   ;serial (version)
                     3600        ;refresh period
                     900         ;retry refresh this often
                     3600000     ;expiration period
                     3600        ;minimum TTL
                     )
priv.yourdomain.org     3600 IN NS      ns.yourdomain.org
collingwood.priv.yourdomain.org 3600 IN A       192.168.0.47
amherst.priv.yourdomain.org     3600 IN A       192.168.0.44
oxford.priv.yourdomain.org      3600 IN A       192.168.0.46
cobequid.priv.yourdomain.org    3600 IN A       192.168.0.6
skidoo.priv.yourdomain.org      3600 IN A       192.168.0.50
springhill.priv.yourdomain.org  3600 IN A       192.168.0.42
blueberry.priv.yourdomain.org   3600 IN A       192.168.0.9
priv.yourdomain.org  3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
                     199907081   ;serial (version)
                     3600        ;refresh period
                     900         ;retry refresh this often
                     3600000     ;expiration period
                     3600        ;minimum TTL
                     )

# nslookup collingwood.priv.yourdomain.org
Server:  localhost.yourdomain.org
Address:  127.0.0.1

Name:    collingwood.priv.yourdomain.org
Address:  192.168.0.47
Restricting queries
We can restrict access to your private domain via queries with the following change to named.conf.  We do this by adding an allow-query clause to your zone definition.
zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        allow-query {
                127.0.0.1/32; 192.168.0.0/24;
                };
        };

This modification will allow only the localhost and clients on the 192.168.0.* subnet to query the domain priv.yourdomain.org.  Queries from all other addresses will be refused.

With this command in place, direct queries result in this:

# nslookup collingwood.priv.yourdomain.org
Server:  some.other.domain
Address:  127.0.0.1

*** some.other.domain can't find collingwood.priv.yourdomain.org: 
                                Non-existent host/domain

The above attempt from outside my domain resulted in this entry in my log file:

ns named[104]: unapproved query from [210.55.152.247].1296 for 
                                "collingwood.priv.yourdomain.org"
Restricting zone transfers
We can restrict access to your private domain via queries with the following change to named.conf.  We do this by adding an allow-transfer clause to your zone definition.
zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        allow-query {
                127.0.0.1/32; 192.168.0.0/24;
                };
        allow-transfer { 
                127.0.0.1/32; 192.168.0.0/24;
                };
        };

As with the allow-query clause, this modification will allow only the localhost and clients on the 192.168.0.* subnet to perform a zone transfer on the domain priv.yourdomain.org.  Transfer attempts from all other addresses will be refused.

If we now try the same command from before, we get this:

# host -l -v -a priv.yourdomain.org
Using domain server:
Name: some.other.domain
Address: 127.0.0.1

Trying your.ns.ip.address
Server failed: Query refused

This results in the following type of entry in your log files:

ns named[104]: unapproved AXFR from [some.other.domain].1101 for 
        "priv.yourdomain.org" (acl)
The above samples should work.  If they don't, please let me know.

Please note that this is a very simple solution.  Big sites would hopefully not use this method.  Instead, they would split the two zones onto two name servers.   One name server would service requests coming from the outside (i.e. public requests).  The other name server would service requests coming from the inside (i.e. private requests).  But one day, I might try this approach.  Right now I have enough machines, but I can't be bothered at the moment.


Share
Need more help on this topic? Click here
This article has 2 comments
Show me similar articles