Bind behind a DMZ?
Steven Stromer
filter at stevenstromer.com
Wed Jan 9 00:43:02 UTC 2008
On Jan 7, 2008, at 9:25 PM, Vincent Yonemitsu wrote:
>
> Figured it out shortly before I left work and didn't have a chance
> to post
> back, I was missing the allow querry all, I had it restricted to my
> ACL
> list. Thanks folks. Sometimes you just need to ask then stare at it
> before
> you figure it out. :)
I don't really get why you'd have to allow-query all. Shouldn't
limiting requests to your ACL list work just fine?
> --
>
> Vincent Yonemitsu
> Information Technology and Infrastructure Manager
> vincentyonemitsu at soilengineersltd.com
> Tel. (416) 754-8515 x 270
>
>
> 100 Nugget Avenue
> Toronto, Ontario M1S 3A7
> Toll
> Free Tel. (800) 268-5624 x 270
> Fax: (416) 754-8516
>
> This
> message is intended only for the use of the individual to which it is
> addressed and contains information that is privileged and
> confidential.
> If
> this e-mail is not intended for you, any reading, distribution,
> copying,
> or disclosure of this e-mail is strictly prohibited. If you
> have received
> this communication in error, please notify Soil
> Engineers Ltd.
> immediately. Soil Engineers Ltd. assumes no liability
> for any unauthorized
> use or alteration of the contents or
> attachments of this e-mail.
>
> Have a look at our website:
> http://www.soilengineersltd.com
>
>>
>>> On Mon, 7
> Jan 2008, Vincent Yonemitsu wrote:
>>>
>>>> It
> doesn't seem to be working. Is this kind of thing ok
>>>>
> to do with bind? I have done it before with other DNS Servers but this
>>> is
>>>
>>>
>>> Your zone entry
> in named.conf should reflect this by use of
>>>
> "allow-query"
>>>
>>> eg:
>>>
>
>>> acl "trust" {
>>> localhost;
>>> localnets;
>>> 192.168.0.0/24;
>>> };
>>>
>>> acl "remotedns" {
>>>
> 1.2.3.4;
>>> 5.6.7.8;
>>> };
>>>
>>>
>>> zone "example.com" {
>>>
> type master;
>>> file "example.com";
>>>
> allow-update { none; };
>>> allow-transfer { trust; remotedns;
> };
>>> allow-query { any; };
>>> };
>>>
> -OR-
>>> zone "example.com" {
>>> type
> slave;
>>> file "example.com";
>>> masters
> { 1.2.3.4; };
>>> allow-query { any; };
>>> };
>>>
>>> ....It's also been years since I've changed the
> way I do trusted acl's,
>>> but I'm sure now days you don't
> need to include localhost or localnet as
>>> bind gets this
> from interfaces at startup and only need IP ranges
>>> not in
> the /24 (Mark? correct?)
>>
>> The default is { localhost;
> localnets; }; for allow-query-cache
>> and allow-recursion. If
> however you set either one of these
>> or set allow-query the
> defaults are overriden with what you have
>> in the relevent acls.
>
>>
>> allow-recursion and allow-query-cache cross inherit.
>
>> allow-recursion and allow-query-cache inherit from allow-query
>
>> if neither is set and allow-query is set.
>>
>>
> Mark
>>
>>> --
>>> Cheers
>>> Res
>
>>>
>>> mysql> update auth set
> Framed-IP-Address='127.0.0.127' where user=
>>> 'troll';
>>>
>>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE:
> +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>>
>>
>>
>> --
>> This message has been scanned for viruses
> and
>> dangerous content by MailScanner, and is
>>
> believed to be clean.
>>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
>
>
More information about the bind-users
mailing list