[CentOS] DNS forwarding vs recursion

Mon Apr 1 20:40:53 UTC 2013
Les Mikesell <lesmikesell at gmail.com>

On Mon, Apr 1, 2013 at 2:54 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
>>
> AFA how BIND should be shipped...  Last time I looked (just a couple of
> days ago) BIND ships in a fairly secure manner (local caching resolver
> listening on localhost only) and the default IP tables blocks DNS
> queries and response that are not on-session.  The OP mentioned that his
> name server was an "authoritative" name server (it was servicing a zone
> for which it was configured).  That's NOT a shipped configuration.  You
> have to configure it for a zone.  Sooo...  We are NOT talking about OOB
> (Out Of the Box) configurations here at all.  Someone had to
> configuration it this way, post installation.

So everyone has to add your own zones.  I don't see how that leads to
the conclusion that it is shipped with appropriate defaults to
force/encourage separation of authoritative/recursive instances.

>> >  I don't think that's the answer either.
>> > Establishing best practices and discouraging people from misconfiguring
>> > applications would seem to be a better option and best current practices
>> > now were not always considered best practices 20 years ago.  It's a
>> > challenge.  It's a BIG challenge in my business.
>>
>> OK, but of course it is a challenge if you advocate using tools that
>> most people don't have or understand - or don't work universally.
>
> Don't have: Disagree - most have.

Where?   I'd say it is much more common for firewalls to be separate
entities that don't know much about routing.

> Don't understand: I'll grant you that.  They don't understand the tools,
> they don't understand the problem, and they don't understand best
> current practices.  You got me on that one.  There in lies the problem
> and the challenge.

Exactly.  If you can't clearly define the problem or a required
topology you can't expect people to re-arrange things.

>> >  Asymmetric
>> > routes (aka triangular routing) should be severely discourage and is
>> > generally considered a configuration error unless it's heavily
>> > justified.
>
>> I don't think BGP shares this opinion.
>
> I'm not sure I follow you on that statement.  BGP is a protocol and I've
> done some coding on that (I'm the author of the MD5 signature code in
> bgpd of the Quagga suite).  The crowd on NANOG (North American Network
> Operators Group) generally frowns upon asymmetric routing as something
> that is occasionally necessary and unavoidable but not admitted to
> loudly in public, much akin to an aunt that like to sit in the corner of
> a room at a party and frequently farts loudly.

Are you saying that something in BGP cares about anything except the
best forward path seen at the moment?  Or that as this changes
dynamically it even tries to keep the reverse path symmetrical?

> Asymmetric routing also breaks
> stateful firewalls badly if they are in the way...

Sure.  Do you want reliability or control?  Pick one.

>> And I'd speculate that the
>> simplicity of IP routing only needing to care about the forward route
>> direction one hop at a time is the main reason that it became the
>> network of choice.  Well, that and a taxpayer funded directory service
>> from the start.
>
> This was very true back then but proved to be as problematical as
> spoofing attacks abusing the DNS resolvers.  Both are rooted in the
> early ages of the Internet.  Fascinating that you bring up that point.

Packets are packets - the concepts of widely distributed, widely
available transports aren't going to change, we just do it faster now.

> Counter point is in the policy routing present in modern systems and
> that IPsec in particular is a policy oriented VPN where triangular /
> asymmetric routing frequently break.

Hence the continuing popularity of ssl-based VPNs that work better
under real-world conditions.   OpenVPN,  Juniper's, etc.

> I would concur with that.  I think that's part and parcel of
> establishing your nominal security perimeters anyways.

Maybe - as organizations grow, merge, relocate, etc. it becomes hard
to deal with perimeters or to assume that all the bad guys are
outside.

>> So you envision an internet where it is impossible to reach a
>> recursive resolver outside of your own organization's control?
>
> Not "impossible" and not under "your own organizations control".
> Certainly, ISPs provide recursers for their clients.

Yeah, but they mostly do that so they can redirect failed lookups to
their own search engines or link farms and show some ads.  As though
web browsers were the only clients for DNS.

> But...  What is
> the purpose of an indeterminant anonymous client connecting to your
> recursive server and making arbitrary queries?

Use case:  You provide a subscription service to institutions that
like strict outbound firewalling.   Your servers are located in a few
contiguous ranges and you work with their firewall admins to permit
access.  Then you find out that the desktop clients in question don't
have access to full internet DNS.

> Yes, there are some of
> us who are involved in Internet infrastructure and maintenance for which
> some of that may be useful for diagnostic purposes but, to allow anyone
> for any reason to anywhere?  That's just inviting abuse.

Sure, but there's not a reasonable way to distinguish a customer from
anyone else at the time they need DNS.

> Counter point is that some ISPs (AT&T in particular) have begun blocking
> unrestrained DNS as much as they block unrestrained SMTP because of some
> of the abuse that has taken place.

Or because they make money when they redirect the errors...

>  Whatever your opinion is on THAT
> debate (and I am decidedly NOT on their side, but I do agree with
> organizations who do it) it's a fact and it is happening.  They don't
> even allow their clients to run their own name servers (unless you are a
> "business client" and have an agreement to that effect) and force most
> of their clients to use their name servers.

And then they can charge more for the "business class" where they
don't block stuff.

-- 
   Les Mikesell
     lesmikesell at gmail.com