All zone blocks for "public" view should be listed here in "internal"too!

Bèrto ëd Sèra berto.d.sera at gmail.com
Thu Sep 23 17:32:28 UTC 2010 

Hi!

Thanks for the answer :) Well, this is web-server, there is no such thing as
an internal user or network, let alone 127.0.0.1 (which is definitely in
"internal" only). Since the shipped configuration files is accepting queries
from:

acl "trusted" {
127.0.0.0/8;
::1/128;
};

I'd say is made for a single machine only, which is definitely not my case.

My internal currently is:

match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;

zone "." in {
type hint;
file "/var/bind/root.cache";
};

zone "localhost" IN {
type master;
file "/var/bind/pri/localhost.zone";
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};

zone "127.in-addr.arpa" IN {
type master;
file "/var/bind/pri/127.zone";
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};

I cannot think of much using it, apart from database listeners on 127.0.0.1
so allowing matches for "trusted" should be okay. There is nothing that
should call one domain from another. Interlinks in web pages are actually
client-side calls from the public network, so nothing comes from "within".

My Public is

view "public" in {
/*
 * Our external (untrusted) view. We permit any client to access
 * portions of this view. We do not perform recursion or cache
 * access for hosts using this view.
 */

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;

zone "." in {
type hint;
file "/var/bind/root.cache";
};
 zone "example.org" {
                type master;
                file "/var/bind/pri/example.org.external";
                allow-query { any; };
                allow-transfer { xfer; };
        };

        etc etc

xfer goes to the secondary nameserver, so everything should be safe.

Thanks
Bèrto



On 23 September 2010 20:21, Lightner, Jeff <jlightner at water.com> wrote:

>   In views order is important.  If you have internal before others (e.g.
> external) then that is the default view.
>
>
>
> What I **think** it is telling you is that if you have an internal view
> that you restrict to certain networks that you need to insure you have all
> the public zones in the external view and the internal view if you intend to
> have your internal users see them.  That is what we do here.
>
>
>  ------------------------------
>
> *From:* bind-users-bounces+jlightner=water.com at lists.isc.org [mailto:
> bind-users-bounces+jlightner <bind-users-bounces%2Bjlightner>=water.com@
> lists.isc.org] *On Behalf Of *Bèrto ëd Sèra
> *Sent:* Thursday, September 23, 2010 1:14 PM
> *To:* bind-users at lists.isc.org
> *Subject:* All zone blocks for "public" view should be listed here in
> "internal"too!
>
>
>
> Hi!
>
>
>
> I hope this is the right alley for my question. I run a public DNS for
> several domains on a gentoo server. After upgrading to 9.7.1_p2 I read in
> the shipped configuration that "All zone blocks for "public" view should be
> listed here in "internal" too!".
>
>
>
> Now, what does it mean? Do I simply copy and paste the public zone entries
> in the internal zone? And what's the point in doing it, is everyone needs it
> anyway?
>
>
>
> I hope you'll pardon my obvious lack of basic knowledge on the subject.
>
> Bèrto
>
>  Proud partner. Susan G. Komen for the Cure.
>
>  *Please consider our environment before printing this e-mail or
> attachments.*
>  ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you are
> not the intended recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be unlawful. If you
> have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------
>



-- 
==============================
Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les
droits du peuple, l'insurrection est, pour le peuple et pour chaque portion
du peuple, le plus sacré des droits et le plus indispensable des devoirs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100923/0a0fd025/attachment.html>

More information about the bind-users mailing list