3 Replies Latest reply: Feb 12, 2013 7:11 PM by Michael Ojaste
Michael Ojaste Level 3 Level 3 (530 points)

Fun with BIND and OS X Server. Those who know, know.

What I am trying to archive is to have full control over my domain forward and reverse DNS. I already got the ISP to point to my rDNS they used a "-" instead of "/" so not sure how BIND sees that yet. I have read it's the same only a syntax change. Now to my problem.

I setup the reverse Zone file correctly and all the response to Local CLI where perfect, host, nslookup, dig, etc, including dscacheutil  The problem was letting the outside world see it. Every Query that started to come in was (denied) PTR, A, etc. I tried a bunch of different entire to the named.conf and then to the SA file "publicView.conf.apple"

I tried "allow-query { any;  };" both in zone list and in named.conf. I tried "query-source address * port *;" since I saw from the logs that the (denied) queries came in on none 53 ports. Nothing I had tried would allow a Query of the 208-28.xx.xxx.xxx.in-addr.arpa. zone. Mind you outside queries of forward DNS worked and local queries of both Fwd an Rev worked.

In the end I had to open the "allow-recursion {"com.apple.ServerAdmin.DNS.public";};" to "any" and it worked. Now I can not or do not want to leave it this way and also I currently broke SA access to the files.

So Option?

1. Can anyone tell me what I can do to keep the allow-recursion ACL in place but allow queries to my 208-28.xx.xxx.xxx.in-addr.arpa. zone to work?

 

2. If "allow-recursion" has to be open for rDNS to work can I create "view "all" { zone "208-28.xx.xxx.xxx.in-addr.arpa" IN  { type master; ...};}; type entry in the named.conf after (or before) "include "/etc/dns/publicView.conf.apple";"? I would also put back the default rDNS zone so SA will work but I'll manually edit the custom rDNS zone.

My thing is I am no BIND expert and not sure if I can have 2 "view" statements or if it should go before or after the "include" in named.conf.

 

Any help will get you a gold star, lol.


Mac Pro, Mac OS X (10.6.8), Server 2 x 2.66Ghz intel Xeon 2006
  • MrHoffman Level 6 Level 6 (12,980 points)

    Has your ISP delegated DNS for your IP addresses to your DNS servers?  (That's somewhat unusual, and it's not something I'd generally recommend, and you'll probably want multiple DNS servers.)

     

    If you're not sure about that, ask your ISP, or (from outside) see what DNS server is configured as authoritative for the reverse translations.

     

    I might infer you do based on that zone transfer, but would prefer to confirm this.

     

    You'll probably want to dedicate these servers and probably also in a DMZ, as DNS servers are targets for attacks, and OS X Server wouldn't be my preferred choice for hosting public DNS; you're going to go around Server.app or Server Admin.app tools, to get where you need.

     

    If there's NAT involved here, my preference would be to leave DNS at the provider, and to host DNS (within the NAT'd network) locally.

  • Michael Ojaste Level 3 Level 3 (530 points)

    MrHoffman wrote:

     

    Has your ISP delegated DNS for your IP addresses to your DNS servers?  (That's somewhat unusual, and it's not something I'd generally recommend, and you'll probably want multiple DNS servers.)

     

    If you're not sure about that, ask your ISP, or (from outside) see what DNS server is configured as authoritative for the reverse translations.

    Yes they have hence the 208-28.xx.xxx.xxx.in-addr.arpa. rDNS zone. and I do have a secondary DNS host outside my local network. I have confirmed the Root references and my IP block does correct come to my DNS for resolution.

     

    MrHoffman wrote:

     

    You'll probably want to dedicate these servers and probably also in a DMZ, as DNS servers are targets for attacks, and OS X Server wouldn't be my preferred choice for hosting public DNS; you're going to go around Server.app or Server Admin.app tools, to get where you need.

     

    If there's NAT involved here, my preference would be to leave DNS at the provider, and to host DNS (within the NAT'd network) locally.

    I have a DNS for local that is separate from the public DNS. I do operate the public DNS behind a Cisco Firewall that handle the IP translation perfectly. My question is more so about rDNS and BIND and why BIND would not allow Queries to be resolved without turning recursion on? As I said above Forward DNS Queries for thing like mail.example.com from the outside worked fine with "allow-recursion {"com.apple.ServerAdmin.DNS.public";};" in place. Only rDNS Queries where (denied) in the named.log. Once "allow-recursion {any;};"  was set rDNS worked to request for resolution of 213     IN      CNAME     213.208-28.xx.xxx.205.in-addr.arpa. which is how my ISP set the PTR entries.

    Can I have a second


    "acl "reverse" {any;};

    view "reverse" {

     

              allow-recursion {any;};

     

              zone "208-28.xx.xxx.205.in-addr.arpa." IN  {

                        type master;

                        file "db.208-28.xx.xxx.205.in-addr.arpa.";

                        allow-update  { none;  };

      allow-transfer  { any;  };

         };

    };"

    and place this in named.conf. Should it go before or after the "include "/etc/dns/publicView.conf.apple";"?

    If I can do that recursion will only occur on the rDNS zone and I can put the normal rDNS zone file back and use Server Admin as normal but I would have to make manual changes to the

    db.208-28.xx.xxx.205.in-addr.arpa. file for public rDNS resolution. Hope that is clear.

     


  • Michael Ojaste Level 3 Level 3 (530 points)

    Well after more research I have found that I can add a second "view" with no problem. It is kind of like setting a split horizon setup. I will have one "view" of Zones that follow the ACL of "com.apple.ServerAdmin.DNS.public" as listed in Server Admin and I will add a "view" in named.conf that will point to the open public rDNS with an ACL of "any"

    When I have it all up and working I'll post directions. I am still qurious why rDNS did not work like a forward DNS lookup in view "com.apple.ServerAdmin.DNS.public"? I think I can keep allow-recursion protected ACL in both "view" but not sure yet.

    Still would not mind help from BIND experts.