Antwort: Secure Bind DNS server problem

Arthur Stephens astephens at ptera.net
Tue Apr 19 18:41:46 UTC 2005 

But I thought that was why we had the external view which below says "any"

...snip
// Create a view for external DNS clients.
view "external-in" in {
    // Our external (untrusted) view. We permit any client to access
    // portions of this view. We do not perform recursion or cache
    // access for hosts using this view.

    match-clients { any; };
    recursion no;
    additional-from-auth no;
    additional-from-cache no;

... snip

whereas the internal view says "trusted"

... snip
view "internal-in" in {
    // Our internal (trusted) view. We permit the internal networks
    // to freely access this view. We perform recursion for our
    // internal hosts, and retrieve data from the cache for them.

    match-clients { trusted; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;

... snip

holger.honert at signal-iduna.de wrote:

>Hello Arthur,
>your log-file says 
>
>Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query 
>'ptera.net/IN' denied
>
>which is correctly handled due to your statement 
>
>allow-query {
>// Accept queries from our "trusted" ACL. We will
>// allow anyone to query our master zones below.
>// This prevents us from becoming a free DNS server
>// to the masses.
>trusted;
>};
>
>... snip
>
>acl "trusted" {
>
>
>// Place our internal and DMZ subnets in here so that
>// intranet and DMZ clients may send DNS queries. This
>// also prevents outside hosts from using our name server
>// as a resolver for other domains.
>216.229.171.0/24;
>69.28.32.0/20;
>localhost;
>};
>
>... snip
>
>you are allowing only queries clients listed in your acl.
>
>Maybe you check this out!
>
>Kind Regards/Freundlichen Gruß
> 
>Holger Honert
> 
>KOMN-97851
> 
>SIGNAL IDUNA Gruppe
>Joseph-Scherer-Str. 3
> 
>44139 Dortmund
> 
>Phone: +49 231/135-4043
>FAX: +49 231/135-2959
> 
>mailto: holger.honert at signal-iduna.de
>
>
>
>  
>


-- 
Arthur Stephens
Senior Sales Technician
Ptera Wireless Internet
astephens at ptera.net
509-927-Ptera

More information about the bind-users mailing list