Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

DNS DHCP IPAM

Reply
Highlighted

Wildcard NS records?

Expert
Posts: 271
9183     0

I have a customer asking me why they can't use wildcard NS records, they have created an authoritative google.com zone in Infoblox so they can create a CNAME for "www" which redirects to "forcesafesearch.google.com.", however they don't want to have to manually create records for docs, mail, maps etc. They are trying to create wildcard NS records to redirect all other queries to the google name servers like this:

 

*    NS     ns1.google.com.

      NS      ns2.google.com.

 

But Infoblox doesn't let you specify a wildcard when you try and add delegation records. Has anyone found a way around this? (I know the answer is to use DNS Firewall and create an RPZ policy, but they haven't purchased this).

 

There seems to be some debate about whether this is strictly legal, but according to the customer it works in BIND (although I have not tried it).

 

Cheers,

 

Paul

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Wildcard NS records?

Adviser
Posts: 138
9184     0

Hi Paul,

 

This scenario is often a challenge when you are not truely authoritative for a domain. Wildcards for NS records are not supported and I do not believe BIND technically supports them either.

 

As you suggesting, leveraging RPZ (DNS Firewall License) would allow the customer to re-write the appropriate records with their own policy. This is the best option and they would not require a subscription to leverage this functionality.

 

There is also one additional potential solution that I have tested and will work for the appropriate scenario. Create the record as a domain. For example, create an authoriative domain called www.google.com. Once the domain is created you can drop an empty A record in the domain that points to the IP of forcesafesearch.google.com. This will make the DNS server believe it is auth for www.google.com alone and not any other google.com domains/records/subdomains/etc. This solves the issue of having to recreate all the appropriate records for google.com.

 

Now for the caveates... You can not create a cname record at the domain apex so you need to use an A record or multiple A records to point to the IP or set of IP addresses. This is not ideal as it is possible the IP in use could change at some point. This work-around would also impact any other records for www.google.com so potentially any txt, mx, or ther DNS record types. In this scenario this is probably not a concern but just something to keep in mind.

 

Hope that helps!

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products
Highlighted

Re: Wildcard NS records?

Expert
Posts: 271
9184     0

Thanks for the reply, I did suggest a domain apex A record but they didn't really like the idea of hardcoding the IP address. In the end we enabled an RPZ temporary license and created an RPZ zone which is working fine. Now we have to convince them to purchase a permanent license! :-)

 

It would be nice to use wildcards instead of having to define every www.google.* domain there is but I guess we are limited by what we can put into the "owner" field of a resource record. Also I didn't find the Infoblox documentation very clear on how to configure it, I ended up googling some other info and experimenting in the end, so I will probably write a blog post about it some time.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Wildcard NS records?

Adviser
Posts: 138
9184     0

Thanks! A blog post sometime would be great Smiley Happy From what I recall the RPZ license alone is not very costly and there are a lot of creative tasks you can accomplish with it outside of the security aspects so hopefully your customer will go for it Smiley Happy

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products
Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton