Bind9 with two views, and IPv6

Christopher Slater-Walker Christopher Slater-Walker

Christopher Slater-Walker

Published Jan 7, 2018
+ Follow

Bind in its various incarnations is perhaps the most widely used DNS server software on the planet; certainly the most-used open-source DNS server.

I've been using it at home for quite a long time, but now that I've changed my domestic Internet provider to Zen Internet (http://www.zen.co.uk/), I get one static IPv4 address for free, and, more interestingly, I get a whole /48 of IPv6 addresses included in the price. What's even more interesting is that Zen will, on request, delegate IPv6 reverse DNS to a server of your choice.

Naturally, I couldn't pass up the opportunity to do this reverse IPv6 DNS on my own server. What this does mean, of course, is that for this to make any sense, my DNS server has to be open to the whole world. This has a whole lot of security implications, like running it in chroot in Linux, in a DMZ, on a logically or physically separate machine, and so on. Well I haven't got into running VMs at home (yet!) but I do have a Rasperry Pi that's been sat in a drawer doing nothing for quite a while, so I've pressed it into service.

One very important piece of the security profile is exactly what DNS information you reveal to the outside world. Fortunately, Bind has the means to provide different information to different clients, all from a single running instance. This is done with a feature known as a "view," which, simply put, means that you can use various criteria (the client's IP address being perhaps the simplest, and that's what I'm using) to determine what kind of client is asking your DNS server a question. So for devices on the internal network (two /24s from private RFC1918 addresses, being not just computers, but mobile phones, game consoles, smart TVs, satellite TV receivers etc.) a full and complete picture of the internal network can be provided, but for external clients, I can provide only IPv6 reverse DNS (like I said above, my ISP delegates this to me now).

Together with the usual array of security measures (firewall, protocol inspection, intrusion prevention) I think this should work pretty well. Certainly I haven't had any issues so far.

To view or add a comment, sign in

More articles by Christopher Slater-Walker

  • Learning Python
    Oct 21, 2020

    Learning Python

    I am finally getting into Python for network automation. After seeing lots of job posts requiring experience with…

    1 Comment
  • Extreme Networks v. Cisco Wireless
    Apr 25, 2020

    Extreme Networks v. Cisco Wireless

    What happened when I tried both - NOTE: this is my own personal experience. Your experience will probably be different.

  • DKIM at Last (and SPF)
    Nov 19, 2018

    DKIM at Last (and SPF)

    Undoubtedly, pretty much all of us receive spam email. However, while much of the burden of filtering out of our…

  • New DHCP Server Software
    Oct 24, 2018

    New DHCP Server Software

    I've been using the standard ISC DHCP server at home for a long time for both DHCPv4 and DHCPv6. Until some months ago,…

  • Fun with FreeRADIUS
    Mar 24, 2018

    Fun with FreeRADIUS

    I suppose that most people reading this will already know what RADIUS is, and at least some of what it can do. However,…

    1 Comment
  • Jumping into the pool
    Feb 5, 2018

    Jumping into the pool

    Link: The NTP Pool Project The NTP Pool Project is a project (surprise!) which allows volunteers with spare server and…

  • New experience with 802.1X on Cisco
    Sep 16, 2017

    New experience with 802.1X on Cisco

    Today for the first time: configured 802.1X port-based authentication on Cisco 2960-X switches.

See all articles

Explore content categories