February 27 2015 by Sunny Panayappan
I’ve
recently been working on Infoblox DNS service migration projects and came
across a problem. It took hours of investigation to find out the root cause. I
would like to share this information in the hope of saving valuable time for
others who might be experiencing the same issue.
Problem
When
you have External DNS servers enabled for recursive queries from DNS clients, at times, even when
client IPs are in the allow-recursion access list they will be denied!
Root Cause
BIND-based DNS servers (as well as most others) will save every received
recursive query response in their DNS
cache file for the time the query is valid (TTL). If a DNS client sends a query whose response is already in the DNS cache file, the DNS server no longer would apply the allow-recursion query list to
the source IP of the DNS query.
It will try to match the allow-query-access-list and if the DNS query source IP does not match,
the DNS server will deny it, even if the DNS query source IP is in the allow-recursion access list.
For example:
allow-recursion access list: 10.0.0.0/8
allow-query access list: 1.2.3.4
DNS client with
source IP 10.1.1.1 sends query for www.google.com. Infoblox DNS server performs the recursion (the DNS client is allowed to – its IP is in allow-recursion list).
The recursive query respond gets saved in the DNS cache file for the time the query respond is valid (TTL).
Another DNS client with IP 10.2.2.2 sends
query for same record www.google.com. This time because the response is already
in the DNS cache, the
allow-query access list applies and the DNS
client gets denied because 10.2.2.2 is not in the allow-query access list.
Solution
To avoid
this behaviour when the DNS name server needs access control on the DNS clients, one solution might be to have both access lists
match.
