option allow-query

Chip Old fold at bcpl.net
Tue Mar 27 05:18:56 UTC 2001 

On Mon, 26 Mar 2001, syn uw wrote to bind-users at isc.org:

> I am currently using BIND v4.9.8 on OpenBSD and I would like to
> restrict the people allowed to use my DNS server to a network or IP
> address. I know for BIND v8.x.x you have the option allow-query but
> under BIND v4.x.x I can't find the equivalent ! Does anybody know the
> equivalent or is there simply no possibility to limit the use of my
> DNS server with BIND v4 ?

It's possible in 4.9.x, but it's not as elegant or as useful as 8.x.x's
allow-query option.  I experimented briefly with it but gave it up because
it protects only records for which your name servers are authoritative.
It doesn't stop outsiders from hitting on your name servers for data for
which they are not authoritative.  In other words, an outsider can still
use your name servers to look up records for anything outside your domain.
If you still want to try it, here's the scoop:

On the master server (primary in 4.x speak) enter TXT records like the
following in each of the zone files to which you want to limit access.
Notice that these make use of a pseudo domain name "secure_zone":

The following allows access from the whole 204.255.212.0/24 network:

  secure_zone   IN   TXT   "204.255.212.0:255.255.255.0"

The following allows access from a single host on the 204.255.212.0/24
network:

  secure_zone   IN   TXT   "204.255.212.15:H"

(The "H" is equivalent to netmask 255.255.255.255)

The following is mandatory:

  secure_zone   IN   TXT   "127.0.0.1:H"

Without that the resolver on the name server will break.

If you want to allow access from multiple networks and/or multiple
individual hosts, do each on its own line.  For example the following will
allow access from the 204.255.212.0/24 216.66.218.0/24 networks and from
individual hosts 207.19.140.173 and 208.242.126.7:

  secure_zone   IN   TXT   "204.255.212.0:255.255.255.0"
  secure_zone   IN   TXT   "206.66.216.0:255.255.255.0"
  secure_zone   IN   TXT   "207.19.140.173:H"
  secure_zone   IN   TXT   "208.242.126.7:H"
  secure_zone   IN   TXT   "127.0.0.1:H"

Note that these records are put in the zone files on the master only.
There is no need (and no way) to do anything on the slaves, because the
records will end up on the slaves automatically as of the next zone
transfer.

Note also that the ability to do zone transfers is also limited to the
networks and/or hosts covered by those TXT records, so make sure all
slaves (sdecondaries) for the affected zones are included in your list.
I'm not sure, but I don't think an xfernets statement in the primary's
named.boot will override this.

Have fun, but think seriously about upgrading to at least BIND 8.2.3-REL.
It handles this better, and is much more secure.

-- 
Chip Old (Francis E. Old)               E-Mail:  fold at bcpl.net
Manager, BCPL Network Services          Voice:   410-887-6180
Manager, BCPL.NET Internet Services     FAX:     410-887-2091
320 York Road
Towson, Maryland 21204 U.S.A.

More information about the bind-users mailing list