Forwarding for one zone with access control

Robert Brewer rbrewer at lava.net
Sun Dec 9 02:12:17 UTC 2001 

Hi. I'm struggling with some performance problems in BIND 8 & 9 when 
loading a very large zone (the RBL+ zone from MAPS). Both BIND versions use 
a lot of CPU and drop incoming queries on the floor when they are loading 
the big (14+ MB) zone. We have several name servers that are loading this 
zone (they form a virtualized name server using a layer 3 switch), and 
having them all drop queries at around the same time is annoying.

My current tack is to have just one server load the zone and have the other 
servers forward requests for that zone to designated server. However, I 
need to enforce the MAPS license, which means that I have to restrict what 
clients can make queries.

In BIND 8, I was hoping to be able to do something like this:

        zone "rbl-plus.mail-abuse.org" {
                type forward;
                forward only;
                forwarders {
                        64.65.64.22; // designated server
                        };
                allow-query {
                        127.0.0.1;
                        64.65.64.0/25; // authorized clients
                };
        };

But this doesn't work, you can't have "allow-query" in a zone of type 
"forward". Any idea how to make this work in BIND 8?

Next I tried the same thing in BIND 9, which also doesn't work. Then I 
started messing around with views. This does part of what I want:

        view "rbl-plus-forward" {
                // match only server subnet and localhost
                match-clients {
                        127.0.0.1;
                        64.65.64.0/25;
                };
                // Forward all requests for RBL+ to our special server
                zone "rbl-plus.mail-abuse.org" {
                        type forward;
                        forward only;
                        forwarders {
                                64.65.64.22;
                        };
                };
        }; // end view "rbl-plus-forward"

        view "normal" {
                match-clients { any; };

        [...all the normal zones here...]

        };

This appears to forward requests for rbl-plus from authorized clients, but 
it also causes requests for other zones from the authorized clients to be 
forwarded (or at least it seems that way since the responses aren't 
authoritative as they should be). It looks like a view matches only on the 
client IP address, but what I really want is a match on the client IP 
address AND the queried domain name. All other queries from the authorized 
clients should be processed normally.

Any ideas would be most appreciated. Mahalo.

More information about the bind-users mailing list