Queries for secondary partial reverse DNS being blocked by good ACLs

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Jul 16 23:46:08 UTC 1999 

	Both these zones are using the same file name to store the zone
	contents into.  Make them unique, remove db.216.101.144 and
	reload.

	Mark

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> BIND 8.2.1, Solaris 2.6 (Sparc)
> 
> I recently started secondarying a set of domains for a friend. One of the
> domains is his partial reverse DNS (a-la RFC 2317) for his network, a /29.
> I use ACLs to lock down access for various things, one of which is that so
> outside networks can only query my DNS server for the domains I host
> (primary and secondary), rather than use it as a general query server.
> 
> Now, everything works fine with the 6 or so other domains I brought up
> last night. However, the *exact same ACL* is apparently being ignored on
> the partial reverse DNS domains. It looks as if BIND is ignoring the
> specific allow-query statement in the zone record for the partial reverse
> domain, and is instead only looking at the general allow-query I have at
> the top of the file. I tested this out by replacing the global allow-query
> with an any statement, and lo and behold, I can query from outside now.
> 
> The global statement is:
> 
> allow-query { internal; kabir; };
> 
> where internal is my network (a /28), and kabir is his network (the
> aforementioned /29).
> 
> These are the statements for the partial reverse domain:
> 
> zone "144.101.216.in-addr.arpa" {
>         type slave;
>         masters { 216.101.144.149; };
>         file "db.216.101.144";
>         check-names fail;
>         allow-update {internal; kabir; };
>         allow-query { any; };
>         allow-transfer { internal; kabir; audit; };
> };
> 
> zone "144/29.144.101.216.in-addr.arpa" {
>         type slave;
>         masters { 216.101.144.149; };
>         file "db.216.101.144";
>         check-names fail;
>         allow-update { internal; kabir; };
>         allow-query { any; };
>         allow-transfer { internal; kabir; audit; };
> };
> 
> with specific allow-query { any; }; statements.
> 
> As it stands, any queries for this partial reverse from outside my and his
> networks is refused, and generates a message like this:
> 
> Jul 16 14:11:28 veris3 named[1689]: unapproved query from
> [206.13.28.11].59891 for "144.144.101.216.in-addr.arpa" 
> 
> which is completely correct if the query was supposed to be blocked, which
> it's not.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
> 
> iQA/AwUBN4+6QPsHqTljCgqrEQIfOgCgktQWIMo4HH8Ym1Fq4DmmKBrdx/8AoJ4r
> NVsUSsAxZPxKqwmeJF3xq2r0
> =qq1D
> -----END PGP SIGNATURE-----
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list