acl in /etc/named.conf
John
magiciq at noordbrabant.net
Wed Dec 4 19:24:19 UTC 2002
Hi,
To secure the DNS, we want to limit the queries source IP-addressses,
only member from us may send a query to our DNS's.
Is it usefull to use acl in /etc/named.conf, if the acl member list is
going bigger and bigger??
At this moment our DNS's are connected with 5 foreign DNS's in several
countries. (every countries has 2 DNS's IP-address).
Now we have around 10 IP-addresses + 6 local IP-addresses in the acl
NOTE!! All foreign DNS IP-addresses are using "type forward" in our
/etc/named.conf
All DNS are NOT connected with the internet, they are connected in a
"private" network.
e.g.
acl abroad { A.A.A.A; B.B.B.B; C.C.C.C; blablalbla 12 times
IP-addresses };
acl local { X.X.X.X; Y.Y.Y.Y; Z.Z.Z.Z; etc..etc..etc..; localhost }
option {
allow-queries { abroad; local };
};
zone "germany.de" {
type forward;
forwarders {
A.A.A.A;
B.B.B.B;
};
forward only;
};
But in the furture our DNS's will connected to another 40 countries. 2 x
40 =80 + 12 + some local IP-addresses.
You can imagine it will be a hell...:-( The ACL will be longer and
longer.
So my question is is it advisable to put all those IP-address in the
ACL?? Or should I just delete the allow-queries under option and not use
it?? Or it there a better solution for that??
Regards,
John
More information about the bind-users
mailing list