Reply

Disabling Internet resolution

Authority
Posts: 18
6485     0

Hello,

we have an internal DNS server which should not resolve Internet domain names and has no access to the Internet.

Recursion is enabled and should stay so since we have a number of forward zones configured.

 

With this configuration when a client asks for an Internet domain resolution (for example www.google.com) the DNS server starts the recursion using the root hints, since there is no Internet access the query will just timeout. From the client point of view this is bad because it has to wait for the request to timetout and it could slow down the system.

 

The BIND way of solving this is issue is to configure a fake "." authoritative zone. With this configuration the resolution of any Internet domain name will fail with a NXDOMAIN.

With Infoblox I have configured 127.0.0.1 as root hint and it solves the issue but it does return a NOERROR with an empty answer. 

 

Here comes the questions:

  1. Is this the Infoblox way to solve this issue or there is a better solution?
  2. Why does it return NOERROR? Is there a way to make it return NXDOMAIN?

 

Thanks,

Marco

Re: Disabling Internet resolution

Expert
Posts: 232
6485     0

Hi Marco,

 

Actually what you have done is create a custom root server "hint" - you are telling Infoblox to use 127.0.0.1 for the root servers, but you have not actually made it authoritative for the root zone.

 

What I would do is remove the custom root hint, revert back to using the Internet root name servers, but create a new authoritative forward zone called "." and assign your Infoblox members as the name servers (use a name server group if you have one). You can make them all primares for the root zone.

 

Infoblox will move all the current zones under it, and will also create all the delegations in the root zone. You should then get NXDOMAIN for anything that doesn't exist.

 

I am a bit sketchy about what happens with forwarding, from what I remember they won't do any global forwarding out to the Internet (because you are authoritative for root) but will still honour any conditional forwarders you have if recurision is enabled (in a true root server environment of course recursion would be disabled).

 

Hope this helps.

 

Cheers,

 

Paul

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disabling Internet resolution

[ Edited ]
GHorne Community Manager
Community Manager
Posts: 248
6485     0

remove the root zone , you don't need it (but be careful, this is a tricky one to backout)

 

on the internal DNS server's member DNS properties:

 - check the 'use forwarders only' box

 - set the manual forwarders to an empty list.

 

That will disable recursion to the roots any only follow any specific forwarder rules.

Re: Disabling Internet resolution

Expert
Posts: 232
6485     0

Nice trick, will that still give him NXDOMAIN for stuff that doesn't exist? Or are we going to get SERVFAIL now or something else?

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disabling Internet resolution

Authority
Posts: 18
6485     0

Thanks Paul,

that's the solution we have currently implemented on Bind, the both work. Besides different replies is there any change in the behaviuor of the client or the server? 

Maybe a SERVFAIL won't be cached while a NXDOMAIN will?

Re: Disabling Internet resolution

Authority
Posts: 18
6485     0

I will try the forwarders trick. Why do you say it's tricky to backout?

Re: Disabling Internet resolution

Expert
Posts: 232
6485     0

@MarcoT wrote:

 

Maybe a SERVFAIL won't be cached while a NXDOMAIN will?


Yes you want try and avoid SERVFAIL if you can, I remember an issue years ago where sendmail/postfix would requeue/resend mail when it got SERVFAIL as opposed to bouncing it when it got NXDOMAIN. Meant a long delay before the mail server finally gave up and bounced a mail if a domain didn't exist. There are probably loads of other use cases but this is the one I remember.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disabling Internet resolution

Expert
Posts: 232
6485     0

@MarcoT wrote:

I will try the forwarders trick. Why do you say it's tricky to backout?


I think Geoff might be talking about when you delete the root zone, you'll get a dialogue box asking if you want to delete just the parent or all sub-zones. Obviously you want the first option! :-)

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disabling Internet resolution

GHorne Community Manager
Community Manager
Posts: 248
6485     0

It turns out I was mistaken, and you can't set an empty 'forwarders{}' config at the global level.

 

You can disable forwarding at a delegaton point or on a zone but not for all queries.

 

So you are back to using a root zone. Which is still less than ideal.

 

When you add or or remove a root zone it has to manage all the delegations for the rest of the authoritative zones that you have configured, and if you remove the zone you have to make sure it doesn't delete the sub zones as well

 

Diagnosing a box with the a local root zone is also a problem if you forget the root zone is there (and it isn't always easy to see) It might not happen today, but 6-12 months down the process someone could end up tearing their hear out wondering why they keep getting NXDOMAIN for their test queries.

 

I would almost suggest that you just forward to another view that just has the root zone or has recursion disabled.

 

A local root zone always feels like a hack to some other deeper problem (such as why is it a problem if the client has to wait for a response if it isn't allowed to query the namespace anyway ?)

Highlighted

Re: Disabling Internet resolution

Authority
Posts: 18
6485     0

Hello,

thanks for the follow up.

In the past we have been experiencing clients to slow down because they have a number of softwares that try to reach the Internet and some browser plugins. We just cannot prevent that.

 

Could please more specific because I cannot figure out how to make the configuration you suggested.

 

Best,

Marco

Re: Disabling Internet resolution

[ Edited ]
Authority
Posts: 18
6486     0

I managed to configure something that works, even if it looks a bit messy. This is what I did:

  •  Configured the "default" view with authoritative zones and forward zones on the GM (as stealth primary) and a couple of nodes as slaves
  •  Configured a "no-recursion" view only on the GM with a "match-clients SLAVES_IP" and moved up as the first view, this will match all the requests. This view as a "." zone configured
  •  Recursion is enabled on the Grid
  •  Recursion is disabled on the view "no-recursion"
  •  Slaves have the "forwarders only" option not set and the only forwarder is the GM

This configuration returns NXDOMAIN quickly.

 

Does it make any sense to you?

 

m-

Showing results for 
Search instead for 
Do you mean 

Recommended for You