07-31-2019 01:13 PM
I've inherited our Infoblox environment as the previous engineer has left the company. Our grid has 9 separate views. I'm deploying a new HA pair for a new DMZ environment. The requirement is to allow clients to query this new HA pair and resolve any internal domain, but not be able to resolve external (Internet) names. I am uncertain in how to acheive this...
Do I just disable root hints and forwarders on the new HA pair? How do I get it to resolve all internal names from the other 8 zones? Do I need to create a new DNS view for this pair, and then create a forward zone for each internal zone they want to resolve? That could get lengthly... or do not create a new view and put it in the main company view and by disabling forwarders & root hints at the member level that will acheive the same result?
07-31-2019 01:47 PM
This is a function of recursion. If any client queries your server directly and your server does not know the answer, it will either:
- If recursion is enabled and allowed, it will attempt to resolve the query following any forwarder configuration or the root hints.
- If recursion is NOT enabled and/or allowed and the answer is not in the local cache, return a servfail/recursion not allowed response.
If your server is accessible across the Internet, it is a good/best practice to allow only clients on trusted networks to send recursive queries. To accomplish this, you can do this at the Grid, Grid member, and/or DNS View levels. The Grid level is a good place to start for what you described as this is a global configuration, and to set this:
- Navigating to the Data Management -> DNS tab in your Infoblox GUI.
- Click on the Grid DNS Properties button in the toolbar on the right hand side of the page and open the Queries tab.
- Scroll down and verify that the Allow recursion checkbox is enabled. Note: If not but recursion does already work, you may need to set this in a different area.
- In the "Allow recursive queries from" section, click on the arrow next to the + (Add) button and select IPv4 Network. Enter the network address and Netmask that you want to allow, verify that the permission is set to Allow, and click Add. Repeat this for any other networks you want to allow (it may be easiest to allow private address space as needed, such as 10.0.0.0 with an 8 bit netmask).
- Click on the arrow next to the + (Add) button and select Any Address/Network.
- In the PERMISSION column, click on the word Allow for the Any type permission you just added and change this to Deny.
- Adjust the ordering and networks as needed (the deny any/any statement should be ordered last). Click Save & Close once done.
- Restart services to apply the change.
Hope this helps.
08-01-2019 06:15 AM
hmm... possibly. At the grid level, recursion is set to only allow all RFC 1918 addresses. If I place this new HA pair into an existing view but disable recursion on this pair specifically, then only authoritative zones will resolve right? Even if a forward zone exists in that view (forwarding to another internal grid member in a different view) it wont resolve it due to recursion being disabled. If that is true, then that isnt what Im going after. Recursion is ok for internal records, just not Internet records.
Right now I went ahead and put it in its own NS group and a new DNS view. I'll create a forward zone (forwarding to another internal grid member in a different view) test it, then disable recursion at the member level and test again. That will probably tell me which way I need to go... thank you for your response and helping think through it.
08-01-2019 06:44 AM
With recursion, the default policy is to allow all. If you do not have an explicit deny statement in the ACL, then you are allowing the RFC 1918 addresses, along with everyone else.
An additional view like you described can accomplish what you described here; however, this comes with its own caveats and can make managing DNS more difficult. As you also noted, this prevents forwarding from working and you will see servfail responses for any entries that use that forwarding (and are not in the systems local cache).
The recursive queries ACL is all you should need to accomplish this and if it is not working as expected, you may want to consult with Infoblox Support and they can help review things with you to make sure it is set correctly.
09-03-2019 08:20 AM
I have this working as desired. I ended up adding it into our main DNS view. Doing so looks like all authoritative zones within that view gets assigned to the new grid member and it can resolve those zones (which is fine). Any other zones within that view, like forward zones, have to be edited and you have to add the new member to them. I have done this as needed.
For excluding internet name resolution, under member DNS properties I have set it to use 127.0.0.1 as custom root hint name server and forwarders only.
I did also add a new ACL specifying the intended client IP's and added it to queries & recursive queries.
Thank you TTiscareno for your guidance.