Cannot get "allow-query-on" to work

Bob Harold rharolde at umich.edu
Wed Jul 2 16:18:49 UTC 2014 

The server I really need this for is a little more complex.  I was just
trying for a simple test case.

Here are more details on my plans to actually use "allow-query-on".  Two
DNS servers, one only for the data centers, and another for the users, but
also as backup for the data center.

DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {    allow-query { any; } ;
    allow-recursion { any; } ;
    recursion yes;
};
view "datacenter" {
 match-clients { DATACENTER; };
... my zones ....
};

DNS resolver for users, but also backup resolver for the data center:
(There are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
    allow-query { any; } ;
    allow-recursion { any; } ;
    recursion yes;
};
view "datacenter" {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view "users" {
match-clients { "any"; };
allow-query-on { user resolver ip };
... my zones ...
};

I don't want users trying to use the data center resolver IP.  Without the
"allow-query-on", it would work for them if the anycast path reached the
user resolver, but not if it reached the data center resolver.  That
confuses users.

(Actually, both data center and users have two anycast resolver IP's each,
so double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.

-- 
Bob Harold
DNS Hostmaster
University of Michigan


On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <h.reindl at thelounge.net>
wrote:

>
> Am 02.07.2014 17:08, schrieb Bob Harold:
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> >
> > allow-query-on { 127.0.0.1; };
> >
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not
> > answer queries sent to the server's normal IP.
> > But it seems to have no effect
>
> why just listening on a interface you don#t want to
> answer from and so accept packets at all?
>
> listen-on              {any;};
> listen-on              {127.0.0.1;};
> listen-on              {127.0.0.1; 192.168.196.2;};
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140702/86864e4c/attachment.html>

More information about the bind-users mailing list