acl in /etc/named.conf

Kevin Darcy kcd at
Wed Dec 4 20:48:12 UTC 2002

John wrote:

>To secure the DNS, we want to limit the queries source IP-addressses,
>only member from us may send a query to our DNS's.
>Is it usefull to use acl in /etc/named.conf, if the acl member list is
>going bigger and bigger??
>At this moment our DNS's are connected with 5 foreign DNS's in several
>countries. (every countries has 2 DNS's IP-address).
>Now we have around 10 IP-addresses + 6 local IP-addresses in the acl
>NOTE!! All foreign DNS IP-addresses are using "type forward" in our
>All DNS are NOT connected with the internet, they are connected in a
>"private" network.
>acl abroad { A.A.A.A; B.B.B.B; C.C.C.C; blablalbla 12 times
>IP-addresses  };
>acl local { X.X.X.X; Y.Y.Y.Y; Z.Z.Z.Z; etc..etc..etc..; localhost }
>option {
>allow-queries { abroad; local };
>zone "" {
>  type forward;
> forwarders {
>              A.A.A.A;
>              B.B.B.B;
>              };
> forward only;
>But in the furture our DNS's will connected to another 40 countries. 2 x
>40 =80 + 12 + some local IP-addresses.
>You can imagine it will be a hell...:-( The ACL will be longer and
>So my question is is it advisable to put all those IP-address in the
>ACL?? Or should I just delete the allow-queries under option and not use
>it?? Or it there a better solution for that??

Well, I've not actually tested this, but I think that you can use a 
"key" argument in an "allow-query" restriction. This would imply that 
only queries signed with a particular key would be allowed to query. So, 
if you could convince all of your partners to configure a particular key 
into their nameserver configurations, this might be more manageable, and 
potentially (assuming you can keep the key contents secure) more secure 
than trusting source addresses
                                            - Kevin

More information about the bind-users mailing list