Private DNS
As a follow-up on the Secondary DNS article, I thought I
would write about how I created a private DNS. In this context, a private DNS is
restricted to certain sites or locations.
If you are this interested in DNS, I suggest
you purchase the DNS and Bind book. It’s what I have and I
referred to it many times when writing this article.
Note: this method is simple and straight forward. But big sites do this
differently. See the last paragraph for more
information.
Zone setup
I wanted to make sure that people outside my LAN did not know what machines I had and
what the IP addresses were. So I started looking at how I could split my DNS into
two parts: public and private. Each of these two parts would be a separate zone.
The public zone will include things such as www, ftp, etc. In other words,
all the machines you want the public to know about. The private zone will include
the machines you don’t want people to know about. This might include workstations,
secure servers, and generally anything which is not public.
For this example, we will be
using the domain yourdomain.org as an example. We will create a subdomain
priv.yourdomain.org which we will hide from everyone but our trusted friends.
The public zone
Here’s the zone file for yourdomain.org as of 1999.07.08. Remember these points:
- The name server is ns.yourdomain.org
- You have an email address soa@yourdomain.org which is your contact for DNS issues.
- 199907051 shows that this zone file was last updated on 1999 July 5 and is the first
revision of that day. - Mail goes to mail.yourdomain.org.
- Don’t forget to change everything in bold to your own values.
$ cat db.yourdomain.org @ IN SOA ns.yourdomain.org. soa.yourdomain.org. ( 199907051 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum ; name servers IN NS ns.yourdomain.org. IN MX 5 mail.yourdomain.org. ; ; Define the rest of my subnet ; ns.yourdomain.org. IN A your.ns.ip.address www.yourdomain.org. IN CNAME ns.yourdomain.org. ftp.yourdomain.org. IN CNAME ns.yourdomain.org. mail.yourdomain.org. IN CNAME ns.yourdomain.org.
The private zone
Here’s the zone file for yourdomain.org as of 1999.07.08. Remember these points:
$ cat db.priv.yourdomain.org @ IN SOA ns.yourdomain.org. soa.yourdomain.org. ( 199907081 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum ; name servers IN NS ns.yourdomain.org.$ORIGIN priv.yourdomain.org. blueberry IN A 192.168.0.9 skidoo IN A 192.168.0.50 cobequid IN A 192.168.0.6 collingwood IN A 192.168.0.47 oxford IN A 192.168.0.46 springhill IN A 192.168.0.42 amherst IN A 192.168.0.44
If you can figure out the naming theme I used above, you get bonus points.
Basically, you have to figure out what the above names nave in common.
Answers/guesses should be added to the article comments.
The reverse lookup file
This file allows you to find out the name of the box from the IP address.
$ cat db.priv.yourdomain.org.rev @ IN SOA ns.yourdomain.org. soa.yourdomain.org. ( 199907081 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum ; name servers IN NS ns.yourdomain.org.9 IN PTR blueberry 50 IN PTR skidoo 6 IN PTR cobequid 47 IN PTR collingwood 46 IN PTR oxford 42 IN PTR springhill 44 IN PTR amherst
named.conf
You will want to modify named.conf to use the above zone files.
Normally, this file is located in /etc/namedb, but you might find it in /etc/namedb.named.conf.
Here’s what you need to add to use the above zone files:
zone "yourdomain.org" { type master; file "db.yourdomain.org"; }; zone "priv.yourdomain.org" { type master; file "db.priv.yourdomain.org"; }; zone "0.168.192.in-addr.arpa" { type master; file "db.priv.yourdomain.org.rev"; };
What can be seen?
The object of this exercise is to restrict the access to the private section of your
domain. There are two types of things we want to prevent:
- queries
- zone transfers
A query can be performed with nslookup and is for a single host. A zone
transfer is used when someone wants to see everything in a particular zone. This can
also be done via nslookup or with host. Here are some examples of
what can be done with the above zone files if you don’t make them secure.
# host -l -v -a yourdomain.org rcode = 0 (Success), ancount=1 Found 1 addresses for ns.yourdomain.org Trying your.ns.ip.address yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org( 199907051 ;serial (version) 3600 ;refresh period 900 ;retry refresh this often 3600000 ;expiration period 3600 ;minimum TTL ) yourdomain.org 3600 IN NS ns.yourdomain.org yourdomain.org 3600 IN MX 5 mail.yourdomain.org priv.yourdomain.org 3600 IN NS ns.yourdomain.org mail.yourdomain.org 3600 IN CNAME ns.yourdomain.org www.yourdomain.org 3600 IN CNAME ns.yourdomain.org ns.yourdomain.org 3600 IN A 192.168.0.20 ftp.yourdomain.org 3600 IN CNAME ns.yourdomain.org yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org( 199907051 ;serial (version) 3600 ;refresh period 900 ;retry refresh this often 3600000 ;expiration period 3600 ;minimum TTL )
As you can see, people can see that your subdomain priv.yourdomain.org exists. So
it would be a simple process to do the following:
# host -l -v -a priv.yourdomain.org rcode = 0 (Success), ancount=1 Found 1 addresses for ns.yourdomain.org Trying your.ns.ip.address priv.yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org( 199907081 ;serial (version) 3600 ;refresh period 900 ;retry refresh this often 3600000 ;expiration period 3600 ;minimum TTL ) priv.yourdomain.org 3600 IN NS ns.yourdomain.org collingwood.priv.yourdomain.org 3600 IN A 192.168.0.47 amherst.priv.yourdomain.org 3600 IN A 192.168.0.44 oxford.priv.yourdomain.org 3600 IN A 192.168.0.46 cobequid.priv.yourdomain.org 3600 IN A 192.168.0.6 skidoo.priv.yourdomain.org 3600 IN A 192.168.0.50 springhill.priv.yourdomain.org 3600 IN A 192.168.0.42 blueberry.priv.yourdomain.org 3600 IN A 192.168.0.9 priv.yourdomain.org 3600 IN SOA ns.yourdomain.org soa.yourdomain.org( 199907081 ;serial (version) 3600 ;refresh period 900 ;retry refresh this often 3600000 ;expiration period 3600 ;minimum TTL ) # nslookup collingwood.priv.yourdomain.org Server: localhost.yourdomain.org Address: 127.0.0.1 Name: collingwood.priv.yourdomain.org Address: 192.168.0.47
Restricting queries
We can restrict access to your private domain via queries with the following change to
named.conf. We do this by adding an allow-query clause to your zone
definition.
zone "priv.yourdomain.org" { type master; file "db.priv.yourdomain.org"; allow-query { 127.0.0.1/32; 192.168.0.0/24; }; };
This modification will allow only the localhost and clients on the 192.168.0.* subnet
to query the domain priv.yourdomain.org. Queries from all other addresses will be
refused.
With this command in place, direct queries result in this:
# nslookup collingwood.priv.yourdomain.org Server: some.other.domain Address: 127.0.0.1 *** some.other.domain can't find collingwood.priv.yourdomain.org: Non-existent host/domain
The above attempt from outside my domain resulted in this entry in my log file:
ns named[104]: unapproved query from [210.55.152.247].1296 for "collingwood.priv.yourdomain.org"
Restricting zone transfers
We can restrict access to your private domain via queries with the following change to
named.conf. We do this by adding an allow-transfer clause to your zone
definition.
zone "priv.yourdomain.org" { type master; file "db.priv.yourdomain.org"; allow-query { 127.0.0.1/32; 192.168.0.0/24; }; allow-transfer { 127.0.0.1/32; 192.168.0.0/24; }; };
As with the allow-query clause, this modification will allow only the
localhost and clients on the 192.168.0.* subnet to perform a zone transfer on the domain
priv.yourdomain.org. Transfer attempts from all other addresses will be refused.
If we now try the same command from before, we get this:
# host -l -v -a priv.yourdomain.org Using domain server: Name: some.other.domain Address: 127.0.0.1 Trying your.ns.ip.address Server failed: Query refused
This results in the following type of entry in your log files:
ns named[104]: unapproved AXFR from [some.other.domain].1101 for "priv.yourdomain.org" (acl)
The last paragraph
The above samples should work. If they don’t, please let me know.
Please note
that this is a very simple solution. Big sites would hopefully not use this
method. Instead, they would split the two zones onto two name servers. One
name server would service requests coming from the outside (i.e. public requests).
The other name server would service requests coming from the inside (i.e. private
requests). But one day, I might try this approach. Right now I have enough
machines, but I can’t be bothered at the moment.
maybe i am overlooking something here..
i want to create my own top level domain. (this is strictly for fun) it will be .lan
okay.. i want second level domains.. for humour purposes such as
.lr.lan (for computers in the living room on the lan)
.br.lan (bathroom)
.kt.lan (kitchen)
.bd.lan (bedroom)
– my.bd.lan (computers in my room)
– hr.bd.lan (computers in HER room)
etc etc etc
how may i create zones for the .lan tld to delegate.. for example..
i am using 192.168.1.0 addresses
one of the computers in my living room needs to resolve to:
andromeda.lr.lan (192.168.1.1)
how would i go about setting this up? i have tried and it fails to resolve.
RFC 974 recommends avoiding pointing MX records to CNAMEs, so
@ IN MX 5 mail.yourdomain.org.
mail.yourdomain.org. IN CNAME ns.yourdomain.org.
is pretty much illegal and remote MTAs will complain about it.