[CentOS] DNS forwarding vs recursion

Mon Apr 1 19:02:48 UTC 2013
Les Mikesell <lesmikesell at gmail.com>

On Mon, Apr 1, 2013 at 1:30 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> Actually, it's pretty easy with netfilter / iptables.  Other firewalls
> like pf filter on *BSD an proprietary work similar.  If you know your
> inside networks you merely add a rule to block incoming packets on your
> external interface with source addresses that should be inside your
> firewall.

What does 'inside' mean to TCP/IP?   Are you saying it can't work if
you are all public?   Or if you expect to use redundant public routing
among all of your systems?

> Do
> we all drop BIND in favor of nscd for our authoritative name servers and
> dnsmasq for our cachers?

Well, first you have to come out and say that recursive resolvers are
too fragile to survive in public.  Or have too much potential for
collateral damage and must be outlawed.  Maybe define a way your
network topology has to be arranged.   Then move on to how BIND should
be shipped.

>  I don't think that's the answer either.
> Establishing best practices and discouraging people from misconfiguring
> applications would seem to be a better option and best current practices
> now were not always considered best practices 20 years ago.  It's a
> challenge.  It's a BIG challenge in my business.

OK, but of course it is a challenge if you advocate using tools that
most people don't have or understand - or don't work universally.

>  Asymmetric
> routes (aka triangular routing) should be severely discourage and is
> generally considered a configuration error unless it's heavily
> justified.

I don't think BGP shares this opinion.  And I'd speculate that the
simplicity of IP routing only needing to care about the forward route
direction one hop at a time is the main reason that it became the
network of choice.  Well, that and a taxpayer funded directory service
from the start.

> They're highly unreliable to begin with (you can forget
> about getting through stateful firewalls).  Where it can be justified,
> then static rules allow it will cover things in ways that attackers can
> not exploit.

So what you need to establish first is the location of the firewalls
in respect to recursive servers.

> Perhaps.  But I'm not quite so sure where the bad design is or if it's
> merely a confluence of extremely powerful tools, like BIND, that can be
> used in a multitude of ways.  I might agree with you more if the "bad
> design" you are referring to is the overall network design,
> architecture, and layout.  I've seen plenty of well designed tools
> misused in badly designed networks.

So you envision an internet where it is impossible to reach a
recursive resolver outside of your own organization's control?

    Les Mikesell
       lesmikesell at gmail.com