BIND configuration question
Jim Reid
jim at rfc1035.com
Wed Apr 27 13:32:57 UTC 2005
On Apr 27, 2005, at 13:15, Ronald I. Nutter wrote:
> I have posted a couple of messages over the last few days. Guess I am
> not asking the question the right way. I am trying to restrict our
> external DNS server running BIND to only allow lookups to domains we
> are
> handling when those requests come from outside our network. I want our
> internal users (which will be coming from one of 5 class C ip ranges we
> are assigned) to be able to to recursive lookups, etc without any
> problems.
>
> Suggestions ?
Have a global allow-query clause that's restricted to your local nets.
Then for each of your zones, add a per-zone clause of:
allow-query { any; };
The per-zone clauses supersede the global one. So this combination
allows outside users to make queries to your server for the local zones
it serves.
For added fun, have a global allow-recursion clause that's limited to
your local net. Stub resolvers elsewhere shouldn't be querying your
name servers anyway. At least, not without your prior consent.... And
name servers that are looking up your local names should be perfectly
capable of recursing for themselves. They won't need your name servers
to do that for them.
More information about the bind-users
mailing list