Views and Blackhole

root net rootnet08 at gmail.com
Tue Nov 18 13:26:20 UTC 2008 

Chris,

Thanks that worked.....

RootNet08

On Tue, Nov 18, 2008 at 12:46 AM, Chris Buxton <cbuxton at menandmice.com>wrote:

> Remove your subnet from the bogons ACL at the beginning.
>
> acl bogons {
> ! 192.168.16.0/21;
> 0.0.0.0/8;
> [...]
> 192.168.0.0/16;
> [...]
> };
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On Nov 17, 2008, at 8:38 PM, root net wrote:
>
> Hello,
>
> I have a server I am testing before I put in production.  Working on a more
> secure bind config.  BTW if anyone has any other suggestions on locking down
> bind beside below and chroot let me know.  I was adding views which has been
> debated time and time again whether or not it really helps but anyway.  My
> problem is I have the latest bogons from team-cymru which includes my
> internal network subnet 192.168.16.0/21.  So in the bogons list it says
> 192.168.0.0/16 which is blackholed.  So my local network is being
> blackholed but it works fine when users not on the bogons query the server
> from the external view.  My question is how can I get this to work without
> adding each cidr block of the 192.168.0.0/16 separately or even breaking
> it up in /21s? I have tried everything I know how.  A sanitized portion of
> my named.conf is this:
>
> //For length sakes I took out the other networks.....
>
> acl i_lan { 127.0.0.1; 192.168.16.0/21};
> acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
> acl bogons { 0.0.0.0/8;
>     1.0.0.0/8;
>     2.0.0.0/8;
>     5.0.0.0/8;
>     192.168.0.0/16;
>     198.18.0.0/15;
>     223.0.0.0/8;
>     224.0.0.0/3;
> };
>
> options {
>           version "Go Away";
>           directory "/var/named";
>           dump-file "/var/dump/named_dump.db";
>           pid-file "/var/run/named/named.pid";
>           statistics-file "/var/stats/named.stats";
>           recursion no;
>           allow-query { any; };
>           listen-on { 127.0.0.1; 192.168.16.2;};
>           recursive-clients 1000;
>           tcp-clients 1000;
>           auth-nxdomain yes;
>           blackhole { bogons; };
>
> view "internal" {
>       match-clients { i_lan; };
>       notify no;
>       recursion yes;
>       allow-transfer { i_dns;};
> zone "localhost" {
>       type master;
>       file "localhost.zone";
> };
> zone "127.in-addr.arpa" {
>       type master;
>       file "localhost.zone";
> };
> zone "0.in-addr.arpa" {
>       type master;
>       file "named.zero";
> };
> zone "255.in-addr.arpa" {
>       type master;
>       file "named.broadcast";
>
> // zones go here
> };
>
> view "external" {
>       match-clients { !i_lan; any; } ;
>       recursion no;
>       allow-transfer { i_dns;};
> // zones go here
> };
>
>
> Any help is appreciated and thanks in advanced.
>
> RootNet08
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081118/14244a8f/attachment.html>

More information about the bind-users mailing list