acl in /etc/named.conf

John magiciq at
Wed Dec 4 19:24:19 UTC 2002


To secure the DNS, we want to limit the queries source IP-addressses,
only member from us may send a query to our DNS's.
Is it usefull to use acl in /etc/named.conf, if the acl member list is
going bigger and bigger??
At this moment our DNS's are connected with 5 foreign DNS's in several
countries. (every countries has 2 DNS's IP-address).
Now we have around 10 IP-addresses + 6 local IP-addresses in the acl

NOTE!! All foreign DNS IP-addresses are using "type forward" in our
All DNS are NOT connected with the internet, they are connected in a
"private" network.

acl abroad { A.A.A.A; B.B.B.B; C.C.C.C; blablalbla 12 times
IP-addresses  };
acl local { X.X.X.X; Y.Y.Y.Y; Z.Z.Z.Z; etc..etc..etc..; localhost }

option {
allow-queries { abroad; local };

zone "" {
  type forward;
 forwarders {
 forward only;

But in the furture our DNS's will connected to another 40 countries. 2 x
40 =80 + 12 + some local IP-addresses.
You can imagine it will be a hell...:-( The ACL will be longer and
So my question is is it advisable to put all those IP-address in the
ACL?? Or should I just delete the allow-queries under option and not use
it?? Or it there a better solution for that??



More information about the bind-users mailing list