Scoped DNS replies based on network?
-
Is it possible to scope DNS responses to only provide responses to hosts on that network?
For example I have 1 LAN with 10.0.0.0/24 and DNS suffix LAN1.net, but I do not want the clients on LAN2 (10.1.0.0/24) to be able to perform lookups of hosts on LAN1.
LAN2 should be able to lookup other hosts on LAN2 and also recursive lookups on the internet, but not any other networks.
I tried a DNS ACL, but out of the existing options none of these fits the bill:
Deny: Stops queries from hosts within the netblock defined below.
Refuse: Stops queries from hosts within the netblock defined below, but sends a DNS rcode REFUSED error message back to the client.
Allow: Allow queries from hosts within the netblock defined below.
Allow Snoop: Allow recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for the administrative host.
Deny Nonlocal: Allow only authoritative local-data queries from hosts within the netblock defined below. Messages that are disallowed are dropped.
Refuse Nonlocal: Allow only authoritative local-data queries from hosts within the netblock defined below. Sends a DNS rcode REFUSED error message back to the client for messages that are disallowed. -
@Tactis you can do this with views
But be warned its not clickly clicky sort of setup.. It will take some effort, especially if you have lots of hosts..
Out of curiosity - if you don't allow lan2 to access anything in lan1, what does it matter if they can query for the IP of a fqdn anyway.. So what if they get back 10.0.0.x for host.lan1.net - they can't get there if you setup your firewall rules correctly.
-
@johnpoz Because LAN1 is also linked via IPSec to many remote networks and will perform forward lookups to the zone servers there.
LAN1 is operating on zero-trust so it's a bit annoying I can't also limit DNS queries for certain zones to LAN1.
If it's not easy I probably won't bother, I'm currently using upstream DNS on the untrusted networks, I just wondered if something was possible so I didn't have to public DNS records for internal hosts on LAN2.
-
@Tactis where in zero trust does it say a client can't even lookup a name? Access control yup, monitor sure, but just because a client can lookup that host.domain.tld is at 192.168.14.12 doesn't mean it can access it.
You can do with views what your asking, or simpler solution would just be run a different NS for this other network - that would be far better then putting rfc1918 in a public NS.
You could prob do it with Response Policy Zones, as well..
Putting your resources into the public, now allows anyone to lookup those records.