Cannot get "allow-query-on" to work
Reindl Harald
h.reindl at thelounge.net
Wed Jul 2 16:28:42 UTC 2014
personally i would not mix that and have own virtual servers
and control the reachability via iptables, the servers
can act as slave/master where needed so that the datacenter
nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's
some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature....
Am 02.07.2014 18:18, schrieb Bob Harold:
> The server I really need this for is a little more complex. I was just trying for a simple test case.
>
> Here are more details on my plans to actually use "allow-query-on". Two DNS servers, one only for the data
> centers, and another for the users, but also as backup for the data center.
>
> DNS resolver for data center has these relevant settings in named.conf:
> (has data center DNS resolver IP)
> acl DATACENTER { ... data center subnets ... };
> options { allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> ... my zones ....
> };
>
> DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.)
> (has both user DNS resolver IP and data center DNS resolver IP)
> options {
> allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> allow-query-on { data center resolver ip };
> ... my zones ...
> };
> view "users" {
> match-clients { "any"; };
> allow-query-on { user resolver ip };
> ... my zones ...
> };
>
> I don't want users trying to use the data center resolver IP. Without the "allow-query-on", it would work for them
> if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users.
>
> (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.)
> The authoritative servers are a separate set of servers, not using anycast, not involved in this.
>
> On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <h.reindl at thelounge.net <mailto:h.reindl at thelounge.net>> wrote:
>
>
> Am 02.07.2014 17:08, schrieb Bob Harold:
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> >
> > allow-query-on { 127.0.0.1; };
> >
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not
> > answer queries sent to the server's normal IP.
> > But it seems to have no effect
>
> why just listening on a interface you don#t want to
> answer from and so accept packets at all?
>
> listen-on {any;};
> listen-on {127.0.0.1;};
> listen-on {127.0.0.1; 192.168.196.2;};
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140702/1704cd63/attachment.bin>
More information about the bind-users
mailing list