Bind behind a DMZ?
bindlist
bindlist at codewarehouse.NET
Tue Jan 8 02:31:10 UTC 2008
On Tue, 08 Jan 2008 12:02:57 +1100, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
>>
>> > It doesn't seem to be working. Is this kind of thing ok
>> > to do with bind? I have done it before with other DNS Servers but this
> is
>>
>>
>> Your zone entry in named.conf should reflect this by use of
> "allow-query"
>>
>> eg:
>>
>> acl "trust" {
>> localhost;
>> localnets;
>> 192.168.0.0/24;
>> };
>>
>> acl "remotedns" {
>> 1.2.3.4;
>> 5.6.7.8;
>> };
>>
>>
>> zone "example.com" {
>> type master;
>> file "example.com";
>> allow-update { none; };
>> allow-transfer { trust; remotedns; };
>> allow-query { any; };
>> };
>> -OR-
>> zone "example.com" {
>> type slave;
>> file "example.com";
>> masters { 1.2.3.4; };
>> allow-query { any; };
>> };
>>
>> ....It's also been years since I've changed the way I do trusted acl's,
>> but I'm sure now days you don't need to include localhost or localnet as
>> bind gets this from interfaces at startup and only need IP ranges
>> not in the /24 (Mark? correct?)
>
> The default is { localhost; localnets; }; for allow-query-cache
> and allow-recursion. If however you set either one of these
> or set allow-query the defaults are overriden with what you have
> in the relevent acls.
>
> allow-recursion and allow-query-cache cross inherit.
> allow-recursion and allow-query-cache inherit from allow-query
> if neither is set and allow-query is set.
>
> Mark
Is this also true for version 9.42? Using the example above on a server we
recently changed to version 9.42 rejects recursion requests for the servers
listed in the "trusted" acl - "trust" in the above example.
from our named.conf:
acl "trusted" {
1.2.3.4; 1.2.3.5; 1.2.3.6; 1.2.3.9; 2.3.4.5; 3.4.5.6; 5.6.7.8; };
options {
...
allow-query { trusted; };
allow-recursion { trusted; };
...
};
zone "somedomain.tld" in {
type master;
file "somedomain.tld.zone";
allow-transfer { list of IP addresses }
};
Yet the log fills up with lines indicating "recursion not available"
when a /trusted/ client makes a request.
Has something changed?
Thank you.
>
>> --
>> Cheers
>> Res
>>
>> mysql> update auth set Framed-IP-Address='127.0.0.127' where user=
> 'troll';
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
/////////////////////////////////////////////////////
Service provided by hitOmeter.NET internet messaging!
.
More information about the bind-users
mailing list