[Dnsmasq-discuss] Restrict DNS reply to specific clients

Guy Wijnants Guy.Wijnants at Imtech-Telecom.Be
Wed Feb 3 14:00:01 GMT 2016 

Hi Albert,

While reading your response I came to the conclusion that I forgot to mention 1 huge thing:

Using ip's from my previous examples
The DNS server is connected to a Firewall. The Firewall has the public IP (193.0.0.1) on it and NAT's DNS requests to the private ip address of the DNS server (example 10.1.1.1).
Some of our clients are behind a public IP range (as example 200.1.1.0 /24) and have the DNS servers public ip (193.0.0.1) as their primary DNS server.

This means although they are very good solution, they will not work for my setup.

Thank you for the assistance

Kind regards,

Guy


-----Original Message-----
From: Albert ARIBAUD [mailto:albert.aribaud at free.fr] 
Sent: woensdag 3 februari 2016 12:51
To: Guy Wijnants
Cc: dnsmasq-discuss at lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients

Hi again Guy,

Le Wed, 3 Feb 2016 12:24:26 +0100
"Guy Wijnants" <Guy.Wijnants at Imtech-Telecom.Be> a écrit:

> Hi Albert,
> 
> Thank you for the quick response.
> You can compare our DNS server as kind of an ISP DNS server in the way 
> that it hosts public domains and acts as DNS resolver for our clients. 
> If I enable dnsmasq all queries are passed to dnsmasq to check whether 
> the domain needs to be blocked, if it does not need to be blocked 
> dnsmasq will pass the query through to the named service which further 
> handles the query. But dnsmasq does not have something like the allow 
> option to limit the hosts that can query the server.
> 
> Situation now:
> Everyone can set our DNS server as their primary DNS server as dnsmasq 
> does not filter to who can query the DNS server. In the named service 
> you have the option to filter who can query the DNS server 
> (allow-recursion function). But because our dnsmasq speaks to the 
> named service using its own ip, the named service always allow the 
> query and no filtering is done whatsoever. Example: Our server is 
> master of the public domain www.iammaster.com You at home set our DNS 
> (we give it ip 193.0.0.1) server as its primary DNS server. You query 
> www.google.com and our server WILL respond with the corresponding IP.
> You query www.iammaster.com and our server WILL respond with the 
> corresponding IP. Our clients (in network 192.168.0.0/24) sets our 
> server as its primary DNS server and query www.google.com and our 
> server WILL respond with the corresponding IP.
> 
> Situation I need:
> People from the internet cannot set our DNS server as their primary 
> DNS, our clients with network for example 192.168.0.0/24 can query our 
> DNS server. Our DNS server ofcourse still responds to the query for 
> public domains where it is master from. Example You at home set our 
> DNS (we give it ip 193.0.0.1) server as its primary DNS server.
> You query www.google.com and our server WILL NOT respond as you are 
> not allowed to query our server. You set a different DNS server as 
> your primary DNS (8.8.8.8 for example) and you query www.iammaster.com 
> and our server WILL respond with the corresponding IP for this domain. 
> Our clients (in network 192.168.0.0/24) sets our server as its primary 
> DNS server and query www.google.com and our server WILL respond with 
> the corresponding IP. Our clients query www.iammaster.com and our 
> server WILL respond with the corresponding IP for this domain.
> 
> Configuration now:
> Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be 
> resolved dnsmasq passes the request to 193.0.0.1:5353 (where our named 
> service listens on). The 'allow-recursion { localhost; x.x.x.x/24; 
> y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or
> localhost) as source address (and not the originating source ip of the 
> requestor) for the query.
> 
> Thanks in advance for your support!

IIUC, what you want is two different things:

- a general name server for your internal network users to use, either
  by hard-coding it in their /etc/resolv.conf or through a DHCP option.
  This server needs at least one recursive-able server as its upstream,
  and only needs to be accessed from inside your network;

- an authoritative name server for some domains, for external use
  through the NS entry in these domains' zone files. That server does
  not need any upstream, and only needs to be accessed from outside
  your network.

Ideally these two services should be run by two different dnsmasq instances, the general one inside your LAN and the authoritative one facing outside; this would ensure the authoritative instance could not act as an open DNS and possibly as a participant in a DNS amplification attack.

I you really need a single instance, then I suspect you run it on a machine which has two interfaces, one with a LAN IP, one with the public IP corresponding to the NS entries in the zone files of your domains. In that case, --auth-server may be the option you need.

That way, outside users would be unable to reach the server through the 'LAN' interface, and would therefore only be able to access the authoritative [part of the] server, which would not answer to queries other that for the domains you have set i up with.

> Best regards,
> 
> Guy

Amicalement,
--
Albert.

More information about the Dnsmasq-discuss mailing list