Private DNS

Private DNS

As a follow-up on the Secondary DNS article, I thought I
would write about how I created a private DNS.  In this context, a private DNS is
restricted to certain sites or locations.

If you are this interested in DNS, I suggest
you purchase the DNS and Bind book.  It’s what I have and I
referred to it many times when writing this article.

Note: this method is simple and straight forward.  But big sites do this
differently.  See the last paragraph for more
information.

Zone setup

I wanted to make sure that people outside my LAN did not know what machines I had and
what the IP addresses were.  So I started looking at how I could split my DNS into
two parts: public and private.  Each of these two parts would be a separate zone.
  The public zone will include things such as www, ftp, etc.  In other words,
all the machines you want the public to know about.  The private zone will include
the machines you don’t want people to know about.  This might include workstations,
secure servers, and generally anything which is not public.

For this example, we will be
using the domain yourdomain.org as an example. We will create a subdomain
priv.yourdomain.org which we will hide from everyone but our trusted friends.

The public zone

Here’s the zone file for yourdomain.org as of 1999.07.08.  Remember these points:

  • The name server is ns.yourdomain.org
  • You have an email address soa@yourdomain.org which is your contact for DNS issues.
  • 199907051 shows that this zone file was last updated on 1999 July 5 and is the first
    revision of that day.
  • Mail goes to mail.yourdomain.org.
  • Don’t forget to change everything in bold to your own values.
$ cat db.yourdomain.org
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907051       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
                IN      MX      5       mail.yourdomain.org.
;
; Define the rest of my subnet
;

ns.yourdomain.org.              IN A            your.ns.ip.address

www.yourdomain.org.             IN CNAME        ns.yourdomain.org.
ftp.yourdomain.org.             IN CNAME        ns.yourdomain.org.
mail.yourdomain.org.            IN CNAME	ns.yourdomain.org.

The private zone

Here’s the zone file for yourdomain.org as of 1999.07.08.  Remember these points:

$ cat db.priv.yourdomain.org
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907081       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
$ORIGIN priv.yourdomain.org.

blueberry                       IN      A               192.168.0.9
skidoo                          IN      A               192.168.0.50
cobequid                        IN      A               192.168.0.6
collingwood                     IN      A               192.168.0.47
oxford                          IN      A               192.168.0.46
springhill                      IN      A               192.168.0.42
amherst                         IN      A               192.168.0.44

If you can figure out the naming theme I used above, you get bonus points.
  Basically, you have to figure out what the above names nave in common.
  Answers/guesses should be added to the article comments.

The reverse lookup file

This file allows you to find out the name of the box from the IP address.

$ cat db.priv.yourdomain.org.rev
@       IN      SOA     ns.yourdomain.org. soa.yourdomain.org.  (
                                199907081       ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum

; name servers

                IN      NS      ns.yourdomain.org.
9       IN      PTR     blueberry
50      IN      PTR     skidoo
6       IN      PTR     cobequid
47      IN      PTR     collingwood
46      IN      PTR     oxford
42      IN      PTR     springhill
44      IN      PTR     amherst

named.conf

You will want to modify named.conf to use the above zone files.  
Normally, this file is located in /etc/namedb, but you might find it in /etc/namedb.named.conf.
  Here’s what you need to add to use the above zone files:

zone "yourdomain.org" {
        type master;
        file "db.yourdomain.org";
        };

zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        };

zone "0.168.192.in-addr.arpa" {
        type master;
        file "db.priv.yourdomain.org.rev";
        };

What can be seen?

The object of this exercise is to restrict the access to the private section of your
domain.  There are two types of things we want to prevent:

  • queries
  • zone transfers

A query can be performed with nslookup and is for a single host.  A zone
transfer is used when someone wants to see everything in a particular zone.  This can
also be done via nslookup or with host.  Here are some examples of
what can be done with the above zone files if you don’t make them secure.

# host -l -v -a yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
yourdomain.org  3600 IN SOA     ns.yourdomain.org soa.yourdomain.org(
                        199907051       ;serial (version)
                        3600            ;refresh period
                        900             ;retry refresh this often
                        3600000         ;expiration period
                        3600            ;minimum TTL
                        )
yourdomain.org  3600 IN NS      ns.yourdomain.org
yourdomain.org  3600 IN MX      5 mail.yourdomain.org
priv.yourdomain.org     3600 IN NS      ns.yourdomain.org
mail.yourdomain.org     3600 IN CNAME   ns.yourdomain.org
www.yourdomain.org      3600 IN CNAME   ns.yourdomain.org
ns.yourdomain.org       3600 IN A       192.168.0.20
ftp.yourdomain.org      3600 IN CNAME   ns.yourdomain.org
yourdomain.org  3600 IN SOA     ns.yourdomain.org soa.yourdomain.org(
                        199907051       ;serial (version)
                        3600    ;refresh period
                        900     ;retry refresh this often
                        3600000 ;expiration period
                        3600    ;minimum TTL
                        )

As you can see, people can see that your subdomain priv.yourdomain.org exists.  So
it would be a simple process to do the following:

# host -l -v -a priv.yourdomain.org
rcode = 0 (Success), ancount=1
Found 1 addresses for ns.yourdomain.org
Trying your.ns.ip.address
priv.yourdomain.org  3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
                     199907081   ;serial (version)
                     3600        ;refresh period
                     900         ;retry refresh this often
                     3600000     ;expiration period
                     3600        ;minimum TTL
                     )
priv.yourdomain.org     3600 IN NS      ns.yourdomain.org
collingwood.priv.yourdomain.org 3600 IN A       192.168.0.47
amherst.priv.yourdomain.org     3600 IN A       192.168.0.44
oxford.priv.yourdomain.org      3600 IN A       192.168.0.46
cobequid.priv.yourdomain.org    3600 IN A       192.168.0.6
skidoo.priv.yourdomain.org      3600 IN A       192.168.0.50
springhill.priv.yourdomain.org  3600 IN A       192.168.0.42
blueberry.priv.yourdomain.org   3600 IN A       192.168.0.9
priv.yourdomain.org  3600 IN SOA ns.yourdomain.org soa.yourdomain.org(
                     199907081   ;serial (version)
                     3600        ;refresh period
                     900         ;retry refresh this often
                     3600000     ;expiration period
                     3600        ;minimum TTL
                     )

# nslookup collingwood.priv.yourdomain.org
Server:  localhost.yourdomain.org
Address:  127.0.0.1

Name:    collingwood.priv.yourdomain.org
Address:  192.168.0.47

Restricting queries

We can restrict access to your private domain via queries with the following change to
named.conf.  We do this by adding an allow-query clause to your zone
definition.

zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        allow-query {
                127.0.0.1/32; 192.168.0.0/24;
                };
        };

This modification will allow only the localhost and clients on the 192.168.0.* subnet
to query the domain priv.yourdomain.org.  Queries from all other addresses will be
refused.

With this command in place, direct queries result in this:

# nslookup collingwood.priv.yourdomain.org
Server:  some.other.domain
Address:  127.0.0.1

*** some.other.domain can't find collingwood.priv.yourdomain.org: 
                                Non-existent host/domain

The above attempt from outside my domain resulted in this entry in my log file:

ns named[104]: unapproved query from [210.55.152.247].1296 for 
                                "collingwood.priv.yourdomain.org"

Restricting zone transfers

We can restrict access to your private domain via queries with the following change to
named.conf.  We do this by adding an allow-transfer clause to your zone
definition.

zone "priv.yourdomain.org" {
        type master;
        file "db.priv.yourdomain.org";
        allow-query {
                127.0.0.1/32; 192.168.0.0/24;
                };
        allow-transfer { 
                127.0.0.1/32; 192.168.0.0/24;
                };
        };

As with the allow-query clause, this modification will allow only the
localhost and clients on the 192.168.0.* subnet to perform a zone transfer on the domain
priv.yourdomain.org.  Transfer attempts from all other addresses will be refused.

If we now try the same command from before, we get this:

# host -l -v -a priv.yourdomain.org
Using domain server:
Name: some.other.domain
Address: 127.0.0.1

Trying your.ns.ip.address
Server failed: Query refused

This results in the following type of entry in your log files:

ns named[104]: unapproved AXFR from [some.other.domain].1101 for 
        "priv.yourdomain.org" (acl)

The last paragraph

The above samples should work.  If they don’t, please let me know.

Please note
that this is a very simple solution.  Big sites would hopefully not use this
method.  Instead, they would split the two zones onto two name servers.   One
name server would service requests coming from the outside (i.e. public requests). 
The other name server would service requests coming from the inside (i.e. private
requests).  But one day, I might try this approach.  Right now I have enough
machines, but I can’t be bothered at the moment.

2 thoughts on “Private DNS”

  1. maybe i am overlooking something here..

    i want to create my own top level domain. (this is strictly for fun) it will be .lan

    okay.. i want second level domains.. for humour purposes such as

    .lr.lan (for computers in the living room on the lan)
    .br.lan (bathroom)
    .kt.lan (kitchen)
    .bd.lan (bedroom)
    – my.bd.lan (computers in my room)
    – hr.bd.lan (computers in HER room)

    etc etc etc

    how may i create zones for the .lan tld to delegate.. for example..

    i am using 192.168.1.0 addresses
    one of the computers in my living room needs to resolve to:

    andromeda.lr.lan (192.168.1.1)

    how would i go about setting this up? i have tried and it fails to resolve.

  2. RFC 974 recommends avoiding pointing MX records to CNAMEs, so

    @ IN MX 5 mail.yourdomain.org.
    mail.yourdomain.org. IN CNAME ns.yourdomain.org.

    is pretty much illegal and remote MTAs will complain about it.

Leave a Comment

Scroll to Top