Bind behind a DMZ?

bindlist bindlist at codewarehouse.NET
Tue Jan 8 05:19:40 UTC 2008 

Hello and thank you for your response.

On Tue, 08 Jan 2008 15:54:53 +1100, Mark Andrews <Mark_Andrews at isc.org> wrote:
> 
>>
>>
>>
>> On Tue, 08 Jan 2008 12:02:57 +1100, Mark Andrews <Mark_Andrews at isc.org>
> wrote
>> :
>> >
>> >> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
>> >>
>> >> > It doesn't seem to be working. Is this kind of thing ok
>> >> > to do with bind? I have done it before with other DNS Servers but
> this
>> is
>> >>
>> >>
>> >> Your zone entry in named.conf should reflect this by use of
>> > "allow-query"
>> >>
>> >> eg:
>> >>
>> >> acl "trust" {
>> >>          localhost;
>> >>          localnets;
>> >>          192.168.0.0/24;
>> >> };
>> >>
>> >> acl "remotedns" {
>> >>          1.2.3.4;
>> >>          5.6.7.8;
>> >> };
>> >>
>> >>
>> >> zone "example.com"  {
>> >>          type master;
>> >>          file "example.com";
>> >>          allow-update { none; };
>> >>          allow-transfer { trust; remotedns; };
>> >>          allow-query { any; };
>> >> };
>> >>   -OR-
>> >> zone "example.com" {
>> >>          type slave;
>> >>          file "example.com";
>> >>          masters { 1.2.3.4; };
>> >>          allow-query { any; };
>> >> };
>> >>
>> >> ....It's also been years since I've changed the way I do trusted
> acl's,
>> >> but I'm sure now days you don't need to include localhost or localnet
> as
>> >> bind gets this from interfaces at startup and only need IP ranges
>> >> not in the /24 (Mark? correct?)
>> >
>> > 	The default is { localhost; localnets; }; for allow-query-cache
>> > 	and allow-recursion.  If however you set either one of these
>> > 	or set allow-query the defaults are overriden with what you have
>> > 	in the relevent acls.
>> >
>> > 	allow-recursion and allow-query-cache cross inherit.
>> > 	allow-recursion and allow-query-cache inherit from allow-query
>> > 	if neither is set and allow-query is set.
>> >
>> > 	Mark
>>
>> Is this also true for version 9.42?
> 
> 	Yes.
> 
Except /my/ copy. :(

Guess we'll have do roll back to an older version.

Thank you for all your time and consideration.

>> Using the example above on a server we
>> recently changed to version 9.42 rejects recursion requests for the
> servers
>> listed in the "trusted" acl - "trust" in the above example.
>>
>> from our named.conf:
>>
>> acl "trusted" {
>> 1.2.3.4; 1.2.3.5; 1.2.3.6; 1.2.3.9; 2.3.4.5; 3.4.5.6; 5.6.7.8; };
>>
>> options {
>>     ...
>>     allow-query { trusted; };
>>     allow-recursion { trusted; };
>>     ...
>> };
>>
>> zone "somedomain.tld" in {
>>     type master;
>>    file "somedomain.tld.zone";
>>    allow-transfer { list of IP addresses }
>> };
>>
>> Yet the log fills up with lines indicating "recursion not available"
>> when a /trusted/ client makes a request.
>>
>> Has something changed?
>>
>> Thank you.
>>
>> >
>> >> --
>> >> Cheers
>> >> Res
>> >>
>> >> mysql> update auth set Framed-IP-Address='127.0.0.127' where user=
>> > 'troll';
>> >>
>> >>
>> > --
>> > Mark Andrews, ISC
>> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>> /////////////////////////////////////////////////////
>> Service provided by hitOmeter.NET internet messaging!
>> .
>>
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
/////////////////////////////////////////////////////
Service provided by hitOmeter.NET internet messaging!
.

More information about the bind-users mailing list