Bind behind a DMZ?

bindlist bindlist at codewarehouse.NET
Tue Jan 8 02:31:10 UTC 2008 



On Tue, 08 Jan 2008 12:02:57 +1100, Mark Andrews <Mark_Andrews at isc.org> wrote:
> 
>> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
>>
>> > It doesn't seem to be working. Is this kind of thing ok
>> > to do with bind? I have done it before with other DNS Servers but this
> is
>>
>>
>> Your zone entry in named.conf should reflect this by use of
> "allow-query"
>>
>> eg:
>>
>> acl "trust" {
>>          localhost;
>>          localnets;
>>          192.168.0.0/24;
>> };
>>
>> acl "remotedns" {
>>          1.2.3.4;
>>          5.6.7.8;
>> };
>>
>>
>> zone "example.com"  {
>>          type master;
>>          file "example.com";
>>          allow-update { none; };
>>          allow-transfer { trust; remotedns; };
>>          allow-query { any; };
>> };
>>   -OR-
>> zone "example.com" {
>>          type slave;
>>          file "example.com";
>>          masters { 1.2.3.4; };
>>          allow-query { any; };
>> };
>>
>> ....It's also been years since I've changed the way I do trusted acl's,
>> but I'm sure now days you don't need to include localhost or localnet as
>> bind gets this from interfaces at startup and only need IP ranges
>> not in the /24 (Mark? correct?)
> 
> 	The default is { localhost; localnets; }; for allow-query-cache
> 	and allow-recursion.  If however you set either one of these
> 	or set allow-query the defaults are overriden with what you have
> 	in the relevent acls.
> 
> 	allow-recursion and allow-query-cache cross inherit.
> 	allow-recursion and allow-query-cache inherit from allow-query
> 	if neither is set and allow-query is set.
> 
> 	Mark

Is this also true for version 9.42? Using the example above on a server we
recently changed to version 9.42 rejects recursion requests for the servers
listed in the "trusted" acl - "trust" in the above example.

from our named.conf:

acl "trusted" {
1.2.3.4; 1.2.3.5; 1.2.3.6; 1.2.3.9; 2.3.4.5; 3.4.5.6; 5.6.7.8; };

options {
    ...
    allow-query { trusted; };
    allow-recursion { trusted; };
    ...
};

zone "somedomain.tld" in {
    type master;
   file "somedomain.tld.zone";
   allow-transfer { list of IP addresses }
};

Yet the log fills up with lines indicating "recursion not available"
when a /trusted/ client makes a request.

Has something changed?

Thank you.

> 
>> --
>> Cheers
>> Res
>>
>> mysql> update auth set Framed-IP-Address='127.0.0.127' where user=
> 'troll';
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
/////////////////////////////////////////////////////
Service provided by hitOmeter.NET internet messaging!
.

More information about the bind-users mailing list