Bind behind a DMZ?
Vincent Yonemitsu
vince at soilengineersltd.com
Tue Jan 8 02:25:41 UTC 2008
Figured it out shortly before I left work and didn't have a chance to post
back, I was missing the allow querry all, I had it restricted to my ACL
list. Thanks folks. Sometimes you just need to ask then stare at it before
you figure it out. :)
--
Vincent Yonemitsu
Information Technology and Infrastructure Manager
vincentyonemitsu at soilengineersltd.com
Tel. (416) 754-8515 x 270
100 Nugget Avenue
Toronto, Ontario M1S 3A7
Toll
Free Tel. (800) 268-5624 x 270
Fax: (416) 754-8516
This
message is intended only for the use of the individual to which it is
addressed and contains information that is privileged and confidential.
If
this e-mail is not intended for you, any reading, distribution,
copying,
or disclosure of this e-mail is strictly prohibited. If you
have received
this communication in error, please notify Soil
Engineers Ltd.
immediately. Soil Engineers Ltd. assumes no liability
for any unauthorized
use or alteration of the contents or
attachments of this e-mail.
Have a look at our website:
http://www.soilengineersltd.com
>
>> On Mon, 7
Jan 2008, Vincent Yonemitsu wrote:
>>
>> > It
doesn't seem to be working. Is this kind of thing ok
>> >
to do with bind? I have done it before with other DNS Servers but this
>> is
>>
>>
>> Your zone entry
in named.conf should reflect this by use of
>>
"allow-query"
>>
>> eg:
>>
>> acl "trust" {
>> localhost;
>> localnets;
>> 192.168.0.0/24;
>> };
>>
>> acl "remotedns" {
>>
1.2.3.4;
>> 5.6.7.8;
>> };
>>
>>
>> zone "example.com" {
>>
type master;
>> file "example.com";
>>
allow-update { none; };
>> allow-transfer { trust; remotedns;
};
>> allow-query { any; };
>> };
>>
-OR-
>> zone "example.com" {
>> type
slave;
>> file "example.com";
>> masters
{ 1.2.3.4; };
>> allow-query { any; };
>> };
>>
>> ....It's also been years since I've changed the
way I do trusted acl's,
>> but I'm sure now days you don't
need to include localhost or localnet as
>> bind gets this
from interfaces at startup and only need IP ranges
>> not in
the /24 (Mark? correct?)
>
> The default is { localhost;
localnets; }; for allow-query-cache
> and allow-recursion. If
however you set either one of these
> or set allow-query the
defaults are overriden with what you have
> in the relevent acls.
>
> allow-recursion and allow-query-cache cross inherit.
> allow-recursion and allow-query-cache inherit from allow-query
> if neither is set and allow-query is set.
>
>
Mark
>
>> --
>> Cheers
>> Res
>>
>> mysql> update auth set
Framed-IP-Address='127.0.0.127' where user=
>> 'troll';
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE:
+61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
>
> --
> This message has been scanned for viruses
and
> dangerous content by MailScanner, and is
>
believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list