I'm trying to replace my bind server with unbound + nsd.
My DNS server works both as authoritative for a few zones and
also as a recursive resolver for a few subnets.
I configured the domains I want to serve authoritatively as stub
zones in unbound, so that the requests are forwarded to a locally
running nsd on a different port.
I need the server to allow non-recursive queries from anywhere.
I want to allow recursive queries only from specified subnets to
prevent misuse of my server for a DNS amplification attack.
The "access-control:" directive only has these actions:
refuse
deny
allow_snoop -- allows recursive + nonrecursive querues
allow -- allows recursive queries
I am missing an action to only allow nonrecursive queries.
Then, I could do:
to only allow recursive queries from 1.2.3.x and nonrecursive
from anywhere.
What other options do I have?
I'm limited to a single IP address, so I can't run unbound on one
and nsd on another.
The only solution I can think of is using iptables to redirect
the DNS traffic to unbound's port for queries from 1.2.3.0/24 and
to nsd's port for other queries. Makes me sort of uneasy
Would it be a totally stupid thing to implement the allow_nonrec
action for access-control? Any chances of such a patch being
accepted for unbound?
How about planning to run unbound and NSD independently, each bound to different addresses? You'll need to renumber your nameserver in the appropriate registries, but if there are only a few zones involved, that seems unlikely to be difficult.
Your life will get easier in the long run if you treat recursive and authoritative DNS as separate, independent services.
I'm trying to replace my bind server with unbound + nsd. My DNS
server works both as authoritative for a few zones and also as a
recursive resolver for a few subnets.
How about planning to run unbound and NSD independently, each bound
to different addresses? You'll need to renumber your nameserver in
the appropriate registries, but if there are only a few zones
involved, that seems unlikely to be difficult.
Your life will get easier in the long run if you treat recursive
and authoritative DNS as separate, independent services.
The options are called deny_non_local and refuse_non_local. They
differ in what you want them to do with the disallowed
non-authoritative queries (drop or refuse, refuse is nicer and is more
like a regular authority server).
The version with this patch has not yet been released, you'll have to
wait for the next release or get the source from the svn (trunk).
The options are called deny_non_local and refuse_non_local. They
differ in what you want them to do with the disallowed
non-authoritative queries (drop or refuse, refuse is nicer and is more
like a regular authority server).
I looked at the patch, but that only adds acl options for local
zones. My authoritative zones are served by a locally running
NSD (on a nonstandard port) that unbound uses through a stub
zone.
Do you think adding another two options, e.g.
deny_non_stub
refuse_non_stub
would make sense?
Or perhaps changing
deny_non_stub to deny_non_recursive
and
refuse_non_stub to refuse_non_recursive
... and differentiating based on the DR bit of the request,
instead of the zone?
I would like to say that Joe Abley's advice is a very good, and you
should see if you can do that. That would likely be a better setup.
If not, let's talk about unbound configuration.
The options are called deny_non_local and refuse_non_local.
They differ in what you want them to do with the disallowed
non-authoritative queries (drop or refuse, refuse is nicer and is
more like a regular authority server).
I looked at the patch, but that only adds acl options for local
zones. My authoritative zones are served by a locally running NSD
(on a nonstandard port) that unbound uses through a stub zone.
Yes I see. That would need some sort of patch. Please reconsider
Joe's set up, which is what is recommended by DNS Operations RFCs.
Do you think adding another two options, e.g. deny_non_stub
refuse_non_stub would make sense?
Or perhaps changing deny_non_stub to deny_non_recursive and
refuse_non_stub to refuse_non_recursive ... and differentiating
based on the DR bit of the request, instead of the zone?
Don't differentiate based on the +RD bit. Because authority servers
should respond to +RD requests. So this would create a flawed
authority server.
I can make, test and post the patches.
What you could make is some sort of configuration option for the
local-zone directive, that is much like the deny_non_local, but allows
these servers to only query that specific zone and not other zones...
Not sure how to do this cleanly. Patches can be stored in unbound's
contrib directory in the source, to benefit others with similar issues.
