Bind behind a DMZ?

Mark Andrews Mark_Andrews at isc.org
Tue Jan 8 04:54:53 UTC 2008 

> 
> 
> 
> On Tue, 08 Jan 2008 12:02:57 +1100, Mark Andrews <Mark_Andrews at isc.org> wrote
> :
> > 
> >> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
> >>
> >> > It doesn't seem to be working. Is this kind of thing ok
> >> > to do with bind? I have done it before with other DNS Servers but this
> is
> >>
> >>
> >> Your zone entry in named.conf should reflect this by use of
> > "allow-query"
> >>
> >> eg:
> >>
> >> acl "trust" {
> >>          localhost;
> >>          localnets;
> >>          192.168.0.0/24;
> >> };
> >>
> >> acl "remotedns" {
> >>          1.2.3.4;
> >>          5.6.7.8;
> >> };
> >>
> >>
> >> zone "example.com"  {
> >>          type master;
> >>          file "example.com";
> >>          allow-update { none; };
> >>          allow-transfer { trust; remotedns; };
> >>          allow-query { any; };
> >> };
> >>   -OR-
> >> zone "example.com" {
> >>          type slave;
> >>          file "example.com";
> >>          masters { 1.2.3.4; };
> >>          allow-query { any; };
> >> };
> >>
> >> ....It's also been years since I've changed the way I do trusted acl's,
> >> but I'm sure now days you don't need to include localhost or localnet as
> >> bind gets this from interfaces at startup and only need IP ranges
> >> not in the /24 (Mark? correct?)
> > 
> > 	The default is { localhost; localnets; }; for allow-query-cache
> > 	and allow-recursion.  If however you set either one of these
> > 	or set allow-query the defaults are overriden with what you have
> > 	in the relevent acls.
> > 
> > 	allow-recursion and allow-query-cache cross inherit.
> > 	allow-recursion and allow-query-cache inherit from allow-query
> > 	if neither is set and allow-query is set.
> > 
> > 	Mark
> 
> Is this also true for version 9.42?

	Yes.

> Using the example above on a server we
> recently changed to version 9.42 rejects recursion requests for the servers
> listed in the "trusted" acl - "trust" in the above example.
> 
> from our named.conf:
> 
> acl "trusted" {
> 1.2.3.4; 1.2.3.5; 1.2.3.6; 1.2.3.9; 2.3.4.5; 3.4.5.6; 5.6.7.8; };
> 
> options {
>     ...
>     allow-query { trusted; };
>     allow-recursion { trusted; };
>     ...
> };
> 
> zone "somedomain.tld" in {
>     type master;
>    file "somedomain.tld.zone";
>    allow-transfer { list of IP addresses }
> };
> 
> Yet the log fills up with lines indicating "recursion not available"
> when a /trusted/ client makes a request.
> 
> Has something changed?
> 
> Thank you.
> 
> > 
> >> --
> >> Cheers
> >> Res
> >>
> >> mysql> update auth set Framed-IP-Address='127.0.0.127' where user=
> > 'troll';
> >>
> >>
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> /////////////////////////////////////////////////////
> Service provided by hitOmeter.NET internet messaging!
> .
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list