Bind behind a DMZ?
Mark Andrews
Mark_Andrews at isc.org
Tue Jan 8 01:02:57 UTC 2008
> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
>
> > It doesn't seem to be working. Is this kind of thing ok
> > to do with bind? I have done it before with other DNS Servers but this is
>
>
> Your zone entry in named.conf should reflect this by use of "allow-query"
>
> eg:
>
> acl "trust" {
> localhost;
> localnets;
> 192.168.0.0/24;
> };
>
> acl "remotedns" {
> 1.2.3.4;
> 5.6.7.8;
> };
>
>
> zone "example.com" {
> type master;
> file "example.com";
> allow-update { none; };
> allow-transfer { trust; remotedns; };
> allow-query { any; };
> };
> -OR-
> zone "example.com" {
> type slave;
> file "example.com";
> masters { 1.2.3.4; };
> allow-query { any; };
> };
>
> ....It's also been years since I've changed the way I do trusted acl's,
> but I'm sure now days you don't need to include localhost or localnet as
> bind gets this from interfaces at startup and only need IP ranges
> not in the /24 (Mark? correct?)
The default is { localhost; localnets; }; for allow-query-cache
and allow-recursion. If however you set either one of these
or set allow-query the defaults are overriden with what you have
in the relevent acls.
allow-recursion and allow-query-cache cross inherit.
allow-recursion and allow-query-cache inherit from allow-query
if neither is set and allow-query is set.
Mark
> --
> Cheers
> Res
>
> mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list