ACL per listening IP address ?
Oscar Ricardo Silva
osilva at scuff.cc.utexas.edu
Thu Sep 27 15:42:16 UTC 2012
I have several multi-homed caching servers and am using anycast. Each
server has it's native interface and then all of them advertise two
other IP addresses, 128.83.185.40 and 128.83.185.41. BIND only listens
on these other two IP addresses. There is no problem with this setup,
it works fine and queries are serviced without problem.
options {
listen-on port 53 {
128.83.185.40;
128.83.185.41;
};
Since these different physical servers are advertising the same IP
addresses (the two above), verifying the status/health of the instance
of BIND is tricky. Basically we have a script running on each server
which is used by our monitoring service.
Is there a way to apply individual BIND ACLs to each of the listening
interfaces, restricting who can query that particular address? My idea
is to add the native (unique) interface to named.conf but only allow
certain IP addresses to issue queries against it.
I'm not very familiar with the concept of views but I wonder if the
"match-client" statement might be the way to go. Alternatively we can
setup an external ACL (or firewall statement) that only allows queries
to the native address from our monitoring service.
Clear as mud?
Oscar
More information about the bind-users
mailing list