Forward only BIND server [closed]

domain-name-system bind

I have a unique situation where I provide hosting service with subdomain.mycompany.com to my users. The subdomain can be hosted on any of my geographically distributed servers which has their own name servers configured.

To correctly resolve IP addresses I have created a "forward" only name server which basically acts as a gateway to all other name servers. Makes sense?

Here is my config

options {
    allow-query { any; };
    dnssec-enable yes;
    dnssec-validation yes;

    auth-nxdomain no;    
    listen-on-v6 { any; };
    recursion yes;
    forwarders {
            nameserver-loc1.ip;
            nameserver-loc2.ip;
            nameserver-loc3.ip;
            nameserver-loc4.ip;
    };

    forward only;
}

My question is - Am I in the right direction (as I am new to BIND server) and how can I secure this configuration to increase security posture.


If I understand your setup correctly, it doesn't sound like it will work.

First of all, forwarding in BIND works as a variation of recursion. Ie, it will only be acted upon if the RD (Recursion Desired) bit is set in the incoming query.
Forwarding will happen if someone has your nameserver in resolv.conf (the OS stub resolver does set RD) but when a domain has been delegated to your server and some recursor out there queries your server RD is not set.

Secondly, NXDOMAIN is a valid response and will not trigger retries, so if the first forwarder that is used answers with NXDOMAIN this is what the response to the client will be.
Actual errors, like SERVFAIL or lack of a response would cause it to try the next server as well, though.

And as for security, from what I can tell this is largely a non-issue considering that it seems like a fundamentally non-working setup.
However, while your setup allows recursion from absolutely anywhere, which is normally disastrous, it is set to forward only and lists your own presumably authoritative-only nameservers (if they do allow recursion, however, stick to "disastrously bad"), the set of names that you can actually get answers on is limited and I suppose the end result is not that much more problematic than just a normal authoritative server.

Related

HAPRoxy Rate Limiting - Stick-Table Entry Expiration
File permissions question
How to configure and use all the IPs given by my provider?
Sending a malicious package as a test to test Suricata alerts
What's the maximum size of an nginx *.conf file?
Can an SMTP server tell the sending MTA to send to another address?
Google Cloud Services - unable to SSH into instance at all
Have nginx redirect everything to https except one directory
Can't change the data-directory for MariaDB Centos7.6
How-to DNAT-forward all IP traffic on Windows 10 from IP1 to IP2?
Clarification on the configuration of a mail server
Elevating user to root with Ansible