named.conf
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Fri Mar 16 20:52:44 UTC 2001
>
>
>
> Hello all,
>
> I just wish to run my named.conf by you guys and see if I understood the
> docs correctly. It is included here at the bottom. Basically here's the
> situation, my server has two IPs on the same interface 208.164.85.1 (dns
> server) and 64.110.177.129 (dhcp server). I don't want anyone to transfer
> any zone information (they are only done by secondary servers right? other
> servers need not transfer my zones?).
> I only wish to allow certain servers
> (indicated with the server tag) to be able to transfer the 64.110.177.128/28
> RDNS zone. I also wish to deny recursive queries except from my own IPs.
> Keeping this in mind I drafted the named.conf below however, I see entries
> in the log saying "denied query from [some.ip].53 for websprinter.net" if I
> put in "allow-query { 208.164.85.0/28; 64.110.177.128/25; };". If I put in
> "allow-query { any; };", everything seems to work ok.
You need "allow-query { 208.164.85.0/28; 64.110.177.128/25; };" at
the options level and "allow-query { any; };" at the zone level.
This blocks access to cached data but not to zone data.
> I also perform DDNS
> from ISC's DHCP server on the same machine but gives out IPs via
> 64.110.177.129. The problem is my ISP has delegated its RDNS to me even if
> the block is a partial one.
This is not evident from the answers on the net.
;; ANSWER SECTION:
177.110.64.in-addr.arpa. 23h57m35s IN NS ns4.interpacket.net.
177.110.64.in-addr.arpa. 23h57m35s IN NS ns1.interpacket.net.
177.110.64.in-addr.arpa. 23h57m35s IN NS ns2.interpacket.net.
> I suspect they're acting as secondary server
> and transferring zones from me (that's why I allow them to transfer zones,
> but only for the 64.110.177.128/25 block). I also see several of these in
> my log files "named[5149]: 64.110.177.hosts:52: data
> "239.177.110.64.in-addr.arpa outside zone 128/25.177.110.64.in-addr.arpa
> (ignored)". I suspect this is caused by bind refusing the DDNS from my DHCP
> server.
No. This is caused by you having bad data in the zone file for
128/25.177.110.64.in-addr.arpa. It should contain a
entry for 239.128/25.177.110.64.in-addr.arpa not a
entry for 239.177.110.64.in-addr.arpa.
I suggest that you go and re-read about setting up classless
in-addr.arpa zones again. Then talk to your ISP again because
128/25.177.110.64.in-addr.arpa is not yet delegated to you
and 177.110.64.in-addr.arpa is not yet set up to support
classless in-addr.arpa (no cnames).
Mark
>
> Can anyone help me figure out these 2 problems? Any comments on the
> included named.conf would also be appreciated (is it secure enough, does it
> make sense, are there redundancies, etc.).
>
>
> TIA,
>
> M. Yu
>
>
> [named.conf]
>
> server 216.226.222.62 {
> bogus no;
> support-ixfr no;
> transfer-format many-answers;
> };
>
> server 209.198.244.2 {
> bogus no;
> support-ixfr no;
> transfer-format many-answers;
> };
>
> server 209.198.248.226 {
> bogus no;
> support-ixfr no;
> transfer-format many-answers;
> };
>
> options {
> version "You gotta be kidding me!";
> directory "/var/named";
> notify no;
> recursion yes;
> rfc2308-type1 yes;
> treat-cr-as-space yes;
> allow-query { 208.164.85.0/28; 64.110.177.128/25; };
> allow-transfer { none; };
> allow-recursion { 208.164.85.0/28; 64.110.177.128/25; };
> listen-on 53 { 208.164.85.1; };
> query-source address 208.164.85.1 port *;
> transfer-source 208.164.85.1;
> maintain-ixfr-base yes;
> statistics-interval 720;
> topology { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
> sortlist {
> { localhost; localnets; };
> { localnets; };
> };
> };
>
> logging {
> channel update_debug {
> file "/var/log/update-debug.log";
> severity debug 3;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> channel security_info {
> file "/var/log/named-auth.info";
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> };
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "128/25.177.110.64.in-addr.arpa" {
> type master;
> file "64.110.177.hosts";
> allow-update { 64.110.177.129; };
> allow-transfer { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
> also-notify { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
> };
>
> zone "85.164.208.in-addr.arpa" {
> type master;
> file "208.164.85.hosts";
> };
>
> zone "websprinter.net" {
> type master;
> file "WEBSPRINTER.NET.hosts";
> allow-update { 64.110.177.129; };
> };
>
> [end]
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list