Views and Blackhole
Chris Buxton
cbuxton at menandmice.com
Tue Nov 18 06:46:13 UTC 2008
Remove your subnet from the bogons ACL at the beginning.
acl bogons {
! 192.168.16.0/21;
0.0.0.0/8;
[...]
192.168.0.0/16;
[...]
};
Chris Buxton
Professional Services
Men & Mice
On Nov 17, 2008, at 8:38 PM, root net wrote:
> Hello,
>
> I have a server I am testing before I put in production. Working on
> a more secure bind config. BTW if anyone has any other suggestions
> on locking down bind beside below and chroot let me know. I was
> adding views which has been debated time and time again whether or
> not it really helps but anyway. My problem is I have the latest
> bogons from team-cymru which includes my internal network subnet
> 192.168.16.0/21. So in the bogons list it says 192.168.0.0/16 which
> is blackholed. So my local network is being blackholed but it works
> fine when users not on the bogons query the server from the external
> view. My question is how can I get this to work without adding each
> cidr block of the 192.168.0.0/16 separately or even breaking it up
> in /21s? I have tried everything I know how. A sanitized portion of
> my named.conf is this:
>
> //For length sakes I took out the other networks.....
>
> acl i_lan { 127.0.0.1; 192.168.16.0/21};
> acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
> acl bogons { 0.0.0.0/8;
> 1.0.0.0/8;
> 2.0.0.0/8;
> 5.0.0.0/8;
> 192.168.0.0/16;
> 198.18.0.0/15;
> 223.0.0.0/8;
> 224.0.0.0/3;
> };
>
> options {
> version "Go Away";
> directory "/var/named";
> dump-file "/var/dump/named_dump.db";
> pid-file "/var/run/named/named.pid";
> statistics-file "/var/stats/named.stats";
> recursion no;
> allow-query { any; };
> listen-on { 127.0.0.1; 192.168.16.2;};
> recursive-clients 1000;
> tcp-clients 1000;
> auth-nxdomain yes;
> blackhole { bogons; };
>
> view "internal" {
> match-clients { i_lan; };
> notify no;
> recursion yes;
> allow-transfer { i_dns;};
> zone "localhost" {
> type master;
> file "localhost.zone";
> };
> zone "127.in-addr.arpa" {
> type master;
> file "localhost.zone";
> };
> zone "0.in-addr.arpa" {
> type master;
> file "named.zero";
> };
> zone "255.in-addr.arpa" {
> type master;
> file "named.broadcast";
>
> // zones go here
> };
>
> view "external" {
> match-clients { !i_lan; any; } ;
> recursion no;
> allow-transfer { i_dns;};
> // zones go here
> };
>
>
> Any help is appreciated and thanks in advanced.
>
> RootNet08
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081117/820c2de6/attachment.html>
More information about the bind-users
mailing list