NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration

New Message	Reply	Date view	Thread view	Subject view	Author view	Attachment view

From: Azze, Jason (JAzze@mail.fairfield.edu)
Date: Wed Jul 07 2004 - 12:20:30 CDT

Next message: Robert Lowe: "Re: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Previous message: Keith Woodworth: "Re: NetReg: Adding new subnets to Netreg."
Next in thread: Robert Lowe: "Re: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Reply: Robert Lowe: "Re: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Maybe reply: Azze, Jason: "RE: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Reply: Jeff A. Earickson: "Re: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Maybe reply: Azze, Jason: "RE: NetReg: Selective DNS Forwarding As a Method to Allow Self-Help From Quarantine Networks--BIND Configuration"
Reply: Jeff A. Earickson: "NetReg: Selective DNS revisited (help...)"

I posted this over on resnet-l, but I thought it might be of interest
here, too. Executive summary: If you want to let your bogus DNS allow
access to Windows Update (or other "self-help" sites), you can use this
method.

=========================

With the help of Jim Mayne from TCU and Phil Rodrigues from NYU, we were
able to implement the selective forwarding/split DNS system using BIND
as a selective forwarder. I'll post the contents of the two files needed
below. The first is our named.conf (unsanitized), the second is a file
called fake-root, which is a substitute root hints file. We're using
BIND 9.2.1. Our BIND lives in /etc/bind/. If yours isn't there, you will
have to adjust the path for the hint file at the end of named.conf.

10.98.1.100 is the IP of our forwarding DNS server (where the named.conf
and fake-root files live). All quarantined clients are assigned this as
their DNS server.

10.98.1.1 is a "good/normal" DNS sever that can resolve all addresses.
We forward our self-help DNS requests to this box.

10.98.1.9 is a fake root server named romulus. It's configured to think
that everything in the "." zone--which is everything--resolves to our
quarantine network web server. The fake-root root hints file points to
romulus.

You may notice that we have fairfield.edu in our list of domains who's
requests get forwarded to the real DNS. We did this for two reasons: 1)
Windows clients like to append their "home" zone onto the end of all DNS
queries. So when we tried to resolve microsoft.com, Windows clients
actually asked for microsoft.com.fairfield.edu, which broke the system.
2) We want to allow our quarantined students to get to some of our
in-house resources that live in the fairfield.edu zone. Nslookup is your
friend while testing this. Also remember ipconfig /flushdns when testing
your Windows clients.

End of lecture!

-- 
Jason Azze
Network Support Specialist
Fairfield University
Here are the file contents:
***************Following is the named.conf**********************
// named.conf for Selective Forwarding
// Belongs at /etc/bind/named.conf
server 10.98.1.100 {
};
options {
       directory "/etc/bind";
};
zone "fairfield.edu" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "microsoft.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "akadns.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "akadns.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "akamai.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "akamai.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "download.windowsupdate.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "faculty.fairfield.edu" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "msft.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "msft.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "nsatc.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "nsatc.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "ntservicepack.microsoft.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "symantec.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "windows.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "windows.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "windowsupdate.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "windowsupdate.microsoft.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "windowsupdate.net" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "wustat.windows.com" {
      type forward;
      forwarders { 10.98.1.1; };
};
zone "." {
        type hint;
        file "/etc/bind/fake-root";
};
*******************Following is fake-root************************
$TTL 3600
.	IN	NS	romulus.
romulus		IN	A	10.98.1.9
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************

New Message	Reply	Date view	Thread view	Subject view	Author view	Attachment view

This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:46 CDT