Antwort: Secure Bind DNS server problem
David Botham
DBotham at OptimusSolutions.com
Tue Apr 19 20:27:20 UTC 2005
bind-users-bounce at isc.org wrote on 04/19/2005 02:41:46 PM:
> But I thought that was why we had the external view which below says
"any"
>
> ...snip
> // Create a view for external DNS clients.
The view "matching" is ordered. That is to say, a client will be served
out of the first view they match. With your external view matching "any"
before your internal view, no one will ever see your internal view....
Dave...
> view "external-in" in {
> // Our external (untrusted) view. We permit any client to access
> // portions of this view. We do not perform recursion or cache
> // access for hosts using this view.
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> ... snip
>
> whereas the internal view says "trusted"
>
> ... snip
> view "internal-in" in {
> // Our internal (trusted) view. We permit the internal networks
> // to freely access this view. We perform recursion for our
> // internal hosts, and retrieve data from the cache for them.
>
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> ... snip
>
> holger.honert at signal-iduna.de wrote:
>
> >Hello Arthur,
> >your log-file says
> >
> >Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
> >'ptera.net/IN' denied
> >
> >which is correctly handled due to your statement
> >
> >allow-query {
> >// Accept queries from our "trusted" ACL. We will
> >// allow anyone to query our master zones below.
> >// This prevents us from becoming a free DNS server
> >// to the masses.
> >trusted;
> >};
> >
> >... snip
> >
> >acl "trusted" {
> >
> >
> >// Place our internal and DMZ subnets in here so that
> >// intranet and DMZ clients may send DNS queries. This
> >// also prevents outside hosts from using our name server
> >// as a resolver for other domains.
> >216.229.171.0/24;
> >69.28.32.0/20;
> >localhost;
> >};
> >
> >... snip
> >
> >you are allowing only queries clients listed in your acl.
> >
> >Maybe you check this out!
> >
> >Kind Regards/Freundlichen Gruß
> >
> >Holger Honert
> >
> >KOMN-97851
> >
> >SIGNAL IDUNA Gruppe
> >Joseph-Scherer-Str. 3
> >
> >44139 Dortmund
> >
> >Phone: +49 231/135-4043
> >FAX: +49 231/135-2959
> >
> >mailto: holger.honert at signal-iduna.de
> >
> >
> >
> >
> >
>
>
> --
> Arthur Stephens
> Senior Sales Technician
> Ptera Wireless Internet
> astephens at ptera.net
> 509-927-Ptera
>
>
More information about the bind-users
mailing list