1

I'm not quite sure how exactly to phrase what it is I need, which makes searching challenging. :) Basically I've got Bind DNS running on RackSpace instances and I want to set named up so that any of my clients can recursively query without risking an open resolver.

All clients are Linux based, though the Android mobile clients are a bit harder to configure. I know that I can setup caching instances of Bind on the laptops and gateways, which might allow some form of key based authentication of recursive requests. I am unsure if this is possible on Android clients, though.

Note that I know that I can use a wide array of public resolvers, like those provided by Google, but for reasons not relevant here, I need to run my client requests through my own server if at all possible. I have tried wading through the man pages and online docs, but I'm not clear on exactly what I need to look for.

----- More info as per comments. -----

Clients are not connected through a VPN, and I'm trying hard to avoid that for certain reasons. Just one of those reasons is that the extra memory footprint and CPU load of even lightweight, low security VPNs is challenging on the most affordable cloud instances. A second is that VPNs add a layer of complexity in almost all Android implementations that I've seen that is super annoying if not truly needed for security.

I am not "married" to Bind as a name server. If there are other FOSS name servers that might be more useful in this particular instance, I'll happily give them a spin. I've simply spend 15+ years using Bind and stopped thinking about alternatives.

I am also not greatly concerned about anyone trying to hack the DNS responses to my clients. If we were living in a world like that the DNS system was designed for, I'd happily run an open resolver. Alas, miscreants of various stripes tend to abuse my open resolver to attack third parties.

I am not running a "mission critical" network here. It is used by few people, for nothing financially or personally critical, rather for experimentation, development and testing.

justinzane
  • 201

3 Answers3

3

You can use TSIG-based access-control on your BIND resolvers for this. This works with clients that can actually use TSIG, which probably limits it to those running a local BIND instance themselves.

See http://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/ and http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html#id2570685.

Do note that this makes it very easy to mount a denial of service attack on your resolvers by forcing them to validate a flood of bogus signatures.

In general, I would strongly advise against running your own resolvers for your clients on the Internet. It will work only in exceptional cases, and there simply isn’t any rational use-case. Your DNS queries should not contain sensitive data, or you’re doing it wrong. If your ISPs’ resolvers are too unreliable or nonexistent, use OpenDNS or Google Public DNS (I’d rather not use those if I don’t have to).

If anything, run local BIND (or rather unbound) resolvers where you can, enable DNSSEC and sign your zones.

Stefan Paletta
  • 231
0

The following won't work for Android, but it works great on GNU/Linux clients. Technically, it involves setting up a VPN, but there's no actual setup involved, nor does your actual network traffic go to the remote server (except for your DNS queries, of course, which go to the remote server -- that's the whole point!), so the load on the remote server is minimal. If you have ssh access to your remote server then you can do this.

On the Rackspace instance, which I'll call remote-server.com: make sure sshd and named are working.

On the Linux clients:

sudo apt install sshuttle ### or dnf install sshuttle, or whatever
sshuttle --dns -r username@remote-server.com 192.0.2.0/24

This sets up a VPN which routes all DNS queries, plus all network traffic sent to 192.0.2.0/24, to the remote server. But 192.0.2.0/24 is an IP address blackhole (RFC 5737), so in practice no actual network traffic gets sent to the remote server. However, DNS queries will be sent to the remote server.

djao
  • 101
0

I don't believe you can filter based on the os that the client is running. But if you know the ips the clients(or caching serves) are connecting from, you can use an acl like this:

acl "trusted" {
    192.168.0.0/16;
    10.153.154.0/24;
    localhost;
    localnets;
    };

options {
    ...
    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    ...
    };
MVanOrder
  • 175