[H-GEN] local dns only
Tony Nugent
tony at linuxworks.com.au
Thu Dec 5 14:41:18 EST 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Thu Dec 05 2002 at 14:05, Bruce Campbell wrote:
> > > acl internal { 127.0.0.1/8; 192.168.0.0/24; };
> > > acl external { ! internal; };
> > >
> > > options {
Someone mentioned listen-on which would also be an excellent idea to
control which interfaces it actually listens on:
listen-on { 127.0.0.1; 192.168.0.1; };
> > > allow-query { internal; };
>
> Note that you can quite nicely shoot yourself in the foot here, if your
> nameserver is also authoritative for a particular zone which should be
> visible from the outside of your network.
Oh that's for sure, and that distinguishes allow-query from
allow-recursion.
Allowing recursion will permit answering queries for zones for
which that name server is not authorative, ie, the answer needs to
be obtained from other name servers and not its own zone files.
If the name server is authorative for a public internet domain or
in-addr.arpa addresses, then "allow-query { any; };" is essential to
allow this to happen (and then restricting recursion to internal
hosts only).
But in this case the nameserver wasn't authorative for any zones -
or at least this wasn't mentioned.
On the other hand, it is not unusual (common?) to have bind set up
so that it is authorative for zones and reverse lookups intended
only for internal private use.
> Hence, in that instance, you don't want to apply a restriction to
> allow-query, but you would want to keep the restrictions on:
>
> > > allow-transfer { internal; }; // who can be given zone transfers
> > > allow-recursion { internal; }; // who gets full DNS lookups
> > > };
It is also possible to further control access in another ways.
The allow-query directive (and others) can be used within zone
configs themselves, and when they appear there they completely
over-ride the access directive in the global options.
One cool thing with bind 9 is the ability to use "views" in a
split-dns configuration... when queried by internal hosts they can
get one set of answers, but when queried by others then the name
server will give completely different answers.
This is especially useful when the name server is the official SOA
for a domain, while at the same time that domain name is also being
extensively within a private network where the hosts all have
private 10/8, 172.16/12 or 192.168/16 addresses. And access
directives can also be used within the view configs.
> Bruce.
Fun stuff... :)
Cheers
Tony
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list