Author Topic: Disable Root DNS lookups  (Read 2734 times)

ShosMeister

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Disable Root DNS lookups
« on: March 04, 2017, 03:49:03 pm »
I have Zentyal 4.2 and 5.0 setup in our lab and we are working on our network security. One thing we noticed is that Zentyal continually tries to contact the root DNS servers for some reason. Is there a way to disable this behavior and if so how.

The best I could find was instructions stating that if you define a forwarder, then Zentyal would use that and ignore the root DNS servers. I tried that but it didn't stop the traffic.

Any ideas/thoughts? No it's not really a big deal but it's just unnecessary noise on the network.

ShosMeister

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Disable Root DNS lookups
« Reply #1 on: April 05, 2017, 06:29:24 pm »
I'm guessing there are no ideas on how to do this?

ShosMeister

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Disable Root DNS lookups
« Reply #2 on: May 26, 2017, 09:07:33 pm »
Seems odd that no-one else would need/want to do this especially in a "closed" network.

jgould

  • Zen Monk
  • **
  • Posts: 52
  • Karma: +6/-0
    • View Profile
Re: Disable Root DNS lookups
« Reply #3 on: May 31, 2017, 09:12:16 pm »
In my setup clients request are first against the bind DNS server that is provided by Zentyal. If the lookup fails because it isn't specified in the local DNS it uses the forwarders (ISP DNS, Google DNS, OpenDNS, etc).

Seeing as Zentyal uses the Bind9_DLZ backend it is configured essentially as described HERE in the Samba Wiki. There you will find a section describing how to "Downloading the DNS Root Servers List" and a section of the basic configuration that denotes how to include that downloaded root dns server list.

Now, on Zentyal, bind and it's configurations are located at /etc/bind. There is a file called db.root, which is equivalent to named.root in the samba example, and contains the root servers list. That file is referenced in the main bind configuration file named.conf. It looks like this;

Code: [Select]
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

With all that in mind, I would postulate that if you were to edit the stubs file for bind you could exclude the root servers. Edit file
Code: [Select]
/usr/share/zentyal/stubs/dns/named.conf.mas and delete the section
Code: [Select]
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

I can't say if that will work or give you the desired result. I honestly am not sure what you are even trying to accomplish. There also could be a better way to handle what you want that I'm not aware of. However I figured I'd give you an idea of what I'd try based on what you were asking. (PS: if what you were trying to do was to create an isolated "closed" network I'd think you would just provide a LAN interface without any WAN interface...but I probably don't understand what you are trying to do).

smokinjoe

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +1/-0
    • View Profile
Re: Disable Root DNS lookups
« Reply #4 on: July 04, 2020, 04:06:13 pm »
Yep, I see this is an old post.

Why would customers want to do this? 

They use pfBlockerNG-devel for DNS filtering.  So it is OK if the Zental server does the caching of DNS queries for the LAN, and it should get ALL data from the resolver.  If we have 2 resolvers we are smart.  One resolver we are not so smart.  We should have a checkbox to disable using the root servers.  Also the root server file is out of date on Devel 6.2.0.

;       last update:    February 17, 2016
;       related version of root zone:   2016021701


doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Disable Root DNS lookups
« Reply #5 on: July 08, 2020, 09:48:03 am »
 :)

If you configures some DNS forwarder, Zentyal doesn't query the root servers.

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,