Cannot get "allow-query-on" to work

Wed Jul 2 16:28:42 UTC 2014

personally i would not mix that and have own virtual servers
and control the reachability via iptables, the servers
can act as slave/master where needed so that the datacenter
nameserver has all zones and differ where it makes sense

we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's

some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature....

Am 02.07.2014 18:18, schrieb Bob Harold:
> The server I really need this for is a little more complex.  I was just trying for a simple test case.
> 
> Here are more details on my plans to actually use "allow-query-on".  Two DNS servers, one only for the data
> centers, and another for the users, but also as backup for the data center.
> 
> DNS resolver for data center has these relevant settings in named.conf:
> (has data center DNS resolver IP)
> acl DATACENTER { ... data center subnets ... };
> options {    allow-query { any; } ; 
>     allow-recursion { any; } ;
>     recursion yes;
> };
> view "datacenter" {
>  match-clients { DATACENTER; };
> ... my zones ....
> };
> 
> DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.)
> (has both user DNS resolver IP and data center DNS resolver IP)
> options {
>     allow-query { any; } ; 
>     allow-recursion { any; } ;
>     recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> allow-query-on { data center resolver ip };
> ... my zones ...
> };
> view "users" {
> match-clients { "any"; };
> allow-query-on { user resolver ip };
> ... my zones ...
> };
> 
> I don't want users trying to use the data center resolver IP.  Without the "allow-query-on", it would work for them
> if the anycast path reached the user resolver, but not if it reached the data center resolver.  That confuses users.
> 
> (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.)
> The authoritative servers are a separate set of servers, not using anycast, not involved in this.
> 
> On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <h.reindl at thelounge.net <mailto:h.reindl at thelounge.net>> wrote:
> 
> 
>     Am 02.07.2014 17:08, schrieb Bob Harold:
>     > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
>     >
>     > allow-query-on { 127.0.0.1; };
>     >
>     > To the default /etc/bind/named.conf.options file.
>     > That should make it only answer queries sent to 127.0.0.1, and not
>     > answer queries sent to the server's normal IP.
>     > But it seems to have no effect
> 
>     why just listening on a interface you don#t want to
>     answer from and so accept packets at all?
> 
>     listen-on              {any;};
>     listen-on              {127.0.0.1;};
>     listen-on              {127.0.0.1; 192.168.196.2;};

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140702/1704cd63/attachment.bin>