bind zone in BIND 9
Cricket Liu
cricket at menandmice.com
Sat Nov 16 01:36:14 UTC 2002
Don Stokes wrote:
> In BIND 8 I was able to restrict access to the BIND zone quite easily,
> simply by refusing queries in all zones, and enabling for the zones I
> wanted served, e.g.
>
> options {
> ...
> recursion no;
> allow-query { none; };
> }
>
> zone "foo" {
> ...
> allow-query { any; };
> }
>
> This a query for "x.bar." would be refused, as would a query for
> "version.bind.". "x.foo." of course works fine, which is what I want.
>
> With BIND 9 (9.2.1), the above configuration doesn't work. "x.foo."
> works fine, "x.bar." is refused, but "version.bind." is allowed.
>
> (a) Why?!?!?
Probably because, unless you use views, BIND 9's default view is
in the Internet class, and version.bind queries are in the CHAOSNET
class.
> (b) How can I stop it, short of defining a completely separate
> "bind" zone and then denying access to it? This seems messy to me.
You could use the version options substatement. (In BIND 9.3.0, you
can use "version none" to tell the name server not to respond to version
queries.) Or you could create a CHAOSNET view with a bind zone
in it.
Recipe 7.1, if you've got the Cookbook.
cricket
Men & Mice
DNS Software, Training and Consulting
www.menandmice.com
The DNS and BIND Cookbook, now available!
http://www.oreilly.com/catalog/dnsbindckbk/
More information about the bind-users
mailing list