DNS. The Domain Name System is a wonderful thing. Most of the brains out there are just not made for numbers. Now, with IPv6 the whole stuff gets even more important. But there is a dark side, as always. The dark side of DNS is DNS-tunneling. With this technique one is able to bypass a firewall completely, ignore proxy servers and give a shit on all your fancy and expensive network security devices.

There are definitely some servers or computers that don’t need to be able to lookup every existing domain name in the world. Think about your DMZ for example. Restricting the domains your servers can lookup makes it almost or – depending on your final config – absolutely impossible to build up a DNS tunnel. So I made an example config on how to lock down a BIND server to only allow certain domains to be looked up for some computers, but still let the others lookup all the domains. Of course, this is a minimalistic config you should for sure tune it up a bit to fit your needs, but it may give you an idea on how to configure BIND for your most secured servers.


// The clients in  can only lookup domains known by
//  and exception.org.
// this may be useful to prevent DMZ Servers from opening DNS tunnels etc.
// Of course,  must not allow forwarding...
// Instead of forwarding, you can also define your zones directly
// in the view.
view "limiteddnslookup" {
  match-clients { ; };
  allow-recursion { ; };
  recursion yes;
  // optional: internal forward servers
  forward only;
  forwarders { ; };
  // optional: exception domain(s)
  zone "exception.org" {
    type forward;
    forwarders { ; };
// This is for all the other clients in your network. They can lookup any
// address they like and is known by .
view "allothers" {
  recursion yes;
  match-clients { any; };
  include "/etc/bind/named.conf.default-zones";
  forwarders { ; };