Queries for secondary partial reverse DNS being blocked by good ACLs
Ethan Butterfield
primus at bayarea.net
Fri Jul 16 23:04:02 UTC 1999
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
BIND 8.2.1, Solaris 2.6 (Sparc)
I recently started secondarying a set of domains for a friend. One of the
domains is his partial reverse DNS (a-la RFC 2317) for his network, a /29.
I use ACLs to lock down access for various things, one of which is that so
outside networks can only query my DNS server for the domains I host
(primary and secondary), rather than use it as a general query server.
Now, everything works fine with the 6 or so other domains I brought up
last night. However, the *exact same ACL* is apparently being ignored on
the partial reverse DNS domains. It looks as if BIND is ignoring the
specific allow-query statement in the zone record for the partial reverse
domain, and is instead only looking at the general allow-query I have at
the top of the file. I tested this out by replacing the global allow-query
with an any statement, and lo and behold, I can query from outside now.
The global statement is:
allow-query { internal; kabir; };
where internal is my network (a /28), and kabir is his network (the
aforementioned /29).
These are the statements for the partial reverse domain:
zone "144.101.216.in-addr.arpa" {
type slave;
masters { 216.101.144.149; };
file "db.216.101.144";
check-names fail;
allow-update {internal; kabir; };
allow-query { any; };
allow-transfer { internal; kabir; audit; };
};
zone "144/29.144.101.216.in-addr.arpa" {
type slave;
masters { 216.101.144.149; };
file "db.216.101.144";
check-names fail;
allow-update { internal; kabir; };
allow-query { any; };
allow-transfer { internal; kabir; audit; };
};
with specific allow-query { any; }; statements.
As it stands, any queries for this partial reverse from outside my and his
networks is refused, and generates a message like this:
Jul 16 14:11:28 veris3 named[1689]: unapproved query from
[206.13.28.11].59891 for "144.144.101.216.in-addr.arpa"
which is completely correct if the query was supposed to be blocked, which
it's not.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBN4+6QPsHqTljCgqrEQIfOgCgktQWIMo4HH8Ym1Fq4DmmKBrdx/8AoJ4r
NVsUSsAxZPxKqwmeJF3xq2r0
=qq1D
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list