DNS Security
Jim Reid
jim at rfc1035.com
Mon Dec 27 17:46:00 UTC 1999
>>>>> "Bill" == wwebb <wwebb at adni.net> writes:
Bill> Where there is a primary master zone with the server
Bill> supporting one or more resolvers, a configuration
Bill> recommended at: http://www.acmebw.com/securing/sld021.htm
Bill> is as follows:
Bill> acl internal { 206.168.119/24; };
Bill> options {
Bill> director "/var/named";
Bill> recursion yes; //the default
Bill> allow-querry {internal; };
Bill>};
Bill> zone "acmebw.com" {
Bill type master;
Bill> file "db.acmebw";
Bill> allow-transfer {207.69.231.3; 209.86.147.1; };
Bill> allow-query { any; };
Bill> };
Bill> Irrespective of an option to allow queries only from the
Bill> internal IP addresses, if a specific zone is set, such as
Bill> acmebw.com as above, isn't the default to allow queries to
Bill> that specific zone ?
Yes and no. If no access lists are used, anybody can query the server.
This is the default behaviour. When a zone has a zone-specific ACL,
then that ACL is used for lookups (or whatever) for that zone. If
there is a global ACL in the options{} statement, that is applied to
any zones that don't have their own ACLS. When there's both a global
and a zone-specific ACL, only the zone-specific one is applied.
Bill> If so, then what is the purpose of the
Bill> "allow-query { any; } entry above?
This entry means that there'a an ACL of "any" for the acmebw.com
zone. Anybody anywhere can send the name server queries for names in
that zone, which is how things generally should be. The zone-specific
ACL is applied instead of the global one. For lookups of any other
domains, the global ACL is applied. Presumably this restricts the name
server to handling lookups from acmebw.com's local resolvers. The
combination of the two ACLs means local users have free access to the
name server to lookup anything but the rest of the world can only use
it for queries about the acmebw.com zone.
More information about the bind-users
mailing list