Views and Blackhole

Chris Buxton cbuxton at menandmice.com
Tue Nov 18 06:46:13 UTC 2008 

Remove your subnet from the bogons ACL at the beginning.

acl bogons {
	! 192.168.16.0/21;
	0.0.0.0/8;
	[...]
	192.168.0.0/16;
	[...]
};

Chris Buxton
Professional Services
Men & Mice

On Nov 17, 2008, at 8:38 PM, root net wrote:

> Hello,
>
> I have a server I am testing before I put in production.  Working on  
> a more secure bind config.  BTW if anyone has any other suggestions  
> on locking down bind beside below and chroot let me know.  I was  
> adding views which has been debated time and time again whether or  
> not it really helps but anyway.  My problem is I have the latest  
> bogons from team-cymru which includes my internal network subnet  
> 192.168.16.0/21.  So in the bogons list it says 192.168.0.0/16 which  
> is blackholed.  So my local network is being blackholed but it works  
> fine when users not on the bogons query the server from the external  
> view.  My question is how can I get this to work without adding each  
> cidr block of the 192.168.0.0/16 separately or even breaking it up  
> in /21s? I have tried everything I know how.  A sanitized portion of  
> my named.conf is this:
>
> //For length sakes I took out the other networks.....
>
> acl i_lan { 127.0.0.1; 192.168.16.0/21};
> acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
> acl bogons { 0.0.0.0/8;
>     1.0.0.0/8;
>     2.0.0.0/8;
>     5.0.0.0/8;
>     192.168.0.0/16;
>     198.18.0.0/15;
>     223.0.0.0/8;
>     224.0.0.0/3;
> };
>
> options {
>           version "Go Away";
>           directory "/var/named";
>           dump-file "/var/dump/named_dump.db";
>           pid-file "/var/run/named/named.pid";
>           statistics-file "/var/stats/named.stats";
>           recursion no;
>           allow-query { any; };
>           listen-on { 127.0.0.1; 192.168.16.2;};
>           recursive-clients 1000;
>           tcp-clients 1000;
>           auth-nxdomain yes;
>           blackhole { bogons; };
>
> view "internal" {
>       match-clients { i_lan; };
>       notify no;
>       recursion yes;
>       allow-transfer { i_dns;};
> zone "localhost" {
>       type master;
>       file "localhost.zone";
> };
> zone "127.in-addr.arpa" {
>       type master;
>       file "localhost.zone";
> };
> zone "0.in-addr.arpa" {
>       type master;
>       file "named.zero";
> };
> zone "255.in-addr.arpa" {
>       type master;
>       file "named.broadcast";
>
> // zones go here
> };
>
> view "external" {
>       match-clients { !i_lan; any; } ;
>       recursion no;
>       allow-transfer { i_dns;};
> // zones go here
> };
>
>
> Any help is appreciated and thanks in advanced.
>
> RootNet08
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081117/820c2de6/attachment.html>

More information about the bind-users mailing list