configuring DNS not to answer queries except local domains (or not to forward certain queries)

Fri Nov 14 15:29:51 UTC 2003

In article <bp1c04$22j9$1 at sf1.isc.org>,
masaki akashi  <m.akashi at rdc.west.ntt.co.jp> wrote:
>Well, I forgot to put local zone.
>but still it doesn't work, do you see any problem, mark?

I have a feeling there are still some things in your named.conf that you're
not showing us.

>On Fri, 14 Nov 2003 02:27:56 +1100
>Mark_Andrews at isc.org wrote:
>
>> 
>> > Hi all
>> > 
>> > Does anyone know how to setup the BIND9 not to answer queries 
>> >  except local domains.
>
> my /etc/named.conf is like:
> 
>  Acl localnet {
>         10.60.XX.16/28;
>         127.0.0.1;
> };
>
> options {
>         directory "/var/named";
>         allow-transfer { localnet; };
>         allow-query { localnet; };
> };
> 
> view "watch" {

Why are you using views if you only have one view and it allows everyone?

>         match-clients { any; };
>         allow-query { any; };

I think this "allow-query" statement is overriding the one in the "options"
section.

>        zone "local" {
>                type master;
>                file "localhost.zone";
>        };
>
>        zone "0.0.127.in-addr.arpa" {
>                type master;
>                file "localhost.rev";
>        };
>
>        zone "XX.60.10.in-addr.arpa" {
>                type master;
>                file "XX.60.10.in-addr.arpa";
>        };
>
>        zone "hogehoge.TLD" {
>                type master;
>                file "hogehoge.TLD";
>        };
>         zone "com" {
>            type forward;
>            forwarders {};
>         };
> }
>> > 
>> > I understand, I should write "recursion no", but this time
>> > I need recursion.

Why do you need recursion if you only want to allow queries for local
zones?

My guess is that you have another view, or other zones, that have
forwarding configured, which requires recursion.  But since you haven't
told us what you're really trying to do, and posted your real named.conf,
we have no way of figuring it out.

But just to show off, I'll make a guess: you have your views in the wrong
order.  BIND tries them in the order they appear in the named.conf, using
the first view whose "match-clients" clause is satisfied.  If you have the
"any" view first, the other views will never be used.  You should put the
most specific ones first, and the default one last.

-- 
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.