Forwarding for one zone with access control
Robert Brewer
rbrewer at lava.net
Sun Dec 9 02:12:17 UTC 2001
Hi. I'm struggling with some performance problems in BIND 8 & 9 when
loading a very large zone (the RBL+ zone from MAPS). Both BIND versions use
a lot of CPU and drop incoming queries on the floor when they are loading
the big (14+ MB) zone. We have several name servers that are loading this
zone (they form a virtualized name server using a layer 3 switch), and
having them all drop queries at around the same time is annoying.
My current tack is to have just one server load the zone and have the other
servers forward requests for that zone to designated server. However, I
need to enforce the MAPS license, which means that I have to restrict what
clients can make queries.
In BIND 8, I was hoping to be able to do something like this:
zone "rbl-plus.mail-abuse.org" {
type forward;
forward only;
forwarders {
64.65.64.22; // designated server
};
allow-query {
127.0.0.1;
64.65.64.0/25; // authorized clients
};
};
But this doesn't work, you can't have "allow-query" in a zone of type
"forward". Any idea how to make this work in BIND 8?
Next I tried the same thing in BIND 9, which also doesn't work. Then I
started messing around with views. This does part of what I want:
view "rbl-plus-forward" {
// match only server subnet and localhost
match-clients {
127.0.0.1;
64.65.64.0/25;
};
// Forward all requests for RBL+ to our special server
zone "rbl-plus.mail-abuse.org" {
type forward;
forward only;
forwarders {
64.65.64.22;
};
};
}; // end view "rbl-plus-forward"
view "normal" {
match-clients { any; };
[...all the normal zones here...]
};
This appears to forward requests for rbl-plus from authorized clients, but
it also causes requests for other zones from the authorized clients to be
forwarded (or at least it seems that way since the responses aren't
authoritative as they should be). It looks like a view matches only on the
client IP address, but what I really want is a match on the client IP
address AND the queried domain name. All other queries from the authorized
clients should be processed normally.
Any ideas would be most appreciated. Mahalo.
More information about the bind-users
mailing list