ACL for forward zone
Richard Tom
rtom at cv.net
Tue Jul 13 02:05:15 UTC 2010
The syntax for a forward zone is:
zone domain_name <http://www.bind9.net/doc-v8/docdef.html> [ ( in | hs | hesiod | chaos ) ] {
type forward;
[ forward ( only | first ); ]
[ forwarders { [ ip_addr <http://www.bind9.net/doc-v8/docdef.html> ; [ ip_addr ; ... ] ] }; ]
[ check-names ( warn | fail | ignore ); ]
};
For the kind of access control you're trying to achieve, use a "view".
The syntax is as follows.
view view_name
[class] {
match-clients { address_match_list };
match-destinations { address_match_list };
match-recursive-only yes_or_no ;
[ view_option; ...]
[ zone_statement; ...]
};
Do some perusing of the Administrator's Reference Manual (ARM). You
might find the information in there quite useful.
Regards,
Richard
Prabhat Rana wrote:
> Hi Nuno,
> Thanks for the response. However, I don't own the authoritative servers. And the clients that I am serving don't have direct access to the authoritative servers.
>
> Prabhat.
>
> --- On Mon, 7/12/10, Nuno Paquete <nunopaquete at lusocargo.pt> wrote:
>
>
>> From: Nuno Paquete <nunopaquete at lusocargo.pt>
>> Subject: Re: ACL for forward zone
>> To: "Prabhat Rana" <prana9533 at yahoo.com>
>> Cc: bind-users at lists.isc.org
>> Date: Monday, July 12, 2010, 4:17 PM
>> Hi Prabhat,
>>
>> I think you don't need this ACL in your forwarder server,
>> define it on
>> the authoritative server (1.2.3.4 and 5.6.7.8, according to
>> your
>> example).
>>
>> Regards,
>> Nuno Paquete
>>
>> No dia 2010/07/12, às 19:27, "Prabhat Rana" <prana9533 at yahoo.com>
>>
>> escreveu:
>>
>>
>>> Hello all,
>>> I have BIND 9.7.1 installed in Solaris 10. I need to
>>>
>> use a forwarder
>>
>>> for a certain internal private IP zone to a certain
>>>
>> internal DNS
>>
>>> severs. In the meantime I need to use certain ACL so
>>>
>> that it would
>>
>>> forward the queries and reply to them only from
>>>
>> certain IP address
>>
>>> clients. So I used the following conifgs in
>>>
>> named.conf
>>
>>> acl "Internal" {10.0.1.0/24)
>>>
>>>
>>> zone "10.in-addr.arpa" in {
>>> type forward;
>>> forwarders { 1.2.3.4;
>>>
>> 5.6.7.8; };
>>
>>> allow-query { "Internal";
>>>
>> };
>>
>>> However it appears I can't use 'allow query'
>>>
>> option in forward zone
>>
>>> as seen in the syslog
>>> /etc/named.conf:102: option 'allow-query' is not
>>>
>> allowed in
>>
>>> 'forward' zone '10.in-addr.arpa'
>>>
>>> Basically you know what I'm trying to achieve. So if
>>>
>> anyone has any
>>
>>> tip how can I use forward from the clients only within
>>>
>> certain IP
>>
>>> address range, that would be great.
>>>
>>> Prabhat.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>
>
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain Cablevision proprietary information, which is privileged, confidential, or subject to copyright belonging to Cablevision. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100712/a61c8672/attachment.html>
More information about the bind-users
mailing list