acl in /etc/named.conf
Kevin Darcy
kcd at daimlerchrysler.com
Wed Dec 4 20:48:12 UTC 2002
John wrote:
>Hi,
>
>To secure the DNS, we want to limit the queries source IP-addressses,
>only member from us may send a query to our DNS's.
>Is it usefull to use acl in /etc/named.conf, if the acl member list is
>going bigger and bigger??
>At this moment our DNS's are connected with 5 foreign DNS's in several
>countries. (every countries has 2 DNS's IP-address).
>Now we have around 10 IP-addresses + 6 local IP-addresses in the acl
>
>NOTE!! All foreign DNS IP-addresses are using "type forward" in our
>/etc/named.conf
>All DNS are NOT connected with the internet, they are connected in a
>"private" network.
>
>e.g.
>acl abroad { A.A.A.A; B.B.B.B; C.C.C.C; blablalbla 12 times
>IP-addresses };
>acl local { X.X.X.X; Y.Y.Y.Y; Z.Z.Z.Z; etc..etc..etc..; localhost }
>
>option {
>allow-queries { abroad; local };
>};
>
>zone "germany.de" {
> type forward;
> forwarders {
> A.A.A.A;
> B.B.B.B;
> };
> forward only;
>};
>
>
>But in the furture our DNS's will connected to another 40 countries. 2 x
>40 =80 + 12 + some local IP-addresses.
>You can imagine it will be a hell...:-( The ACL will be longer and
>longer.
>So my question is is it advisable to put all those IP-address in the
>ACL?? Or should I just delete the allow-queries under option and not use
>it?? Or it there a better solution for that??
>
Well, I've not actually tested this, but I think that you can use a
"key" argument in an "allow-query" restriction. This would imply that
only queries signed with a particular key would be allowed to query. So,
if you could convince all of your partners to configure a particular key
into their nameserver configurations, this might be more manageable, and
potentially (assuming you can keep the key contents secure) more secure
than trusting source addresses
- Kevin
More information about the bind-users
mailing list