SV: Views vs. firewall for simple usage?

Chris Boot bootc at bootc.net
Thu Jun 8 14:52:47 UTC 2006


There's a lot more to it than this, since with BIND < 9.4 machines that 
can't recurse can still get stuff out of the cache. There should be 
plenty of this if you give Google a search, I just can't remember how to 
do this!

Chris

Ronni Jensen wrote:
> Thank you for the quick reply :)
>
> Ok, so actually if I allow any network to access my slaves on port 53,
> the following configuration on ns1 and ns2 (slaves, which are public)
> will do the trick to let only our own customers on 111.222.0.0/20
> network do recursive queries, and for "the world" to do only
> authoritative queries?
>
> acl "ourcustomers" {
> 	111.222.0.0/20;
> 	localnets;
> };
>
> options {
> 	allow-recursion { "ourcustomers"; };
> };
>
> /Ronni
>
>
> -----Oprindelig meddelelse-----
> Fra: Chris Boot [mailto:bootc at bootc.net] 
> Sendt: 8. juni 2006 15:31
> Til: Ronni Jensen
> Cc: bind-users at isc.org
> Emne: Re: Views vs. firewall for simple usage?
>
> Ronni Jensen wrote:
>   
>> Hi,
>>
>> I have a little issue, that I hope you can help me enlighten;
>>
>> Our DNS setup:
>> 1 master (on same LAN as slaves)
>> 2 slaves (with public IPs NAT'ed through our firewall to their local
>>     
> IP.
>   
>> Customers use these as pri/sec dns servers)
>>
>> The only purpose of this setup is to be authoritative for zones hosted
>> by our company, and enable our customers to use the slaves for both
>> authoritative and recursive queries.
>>
>> As I see it, there is no purpose of the headache of working with
>> internal and external views in BIND, since it is only our customers on
>>     
> a
>   
>> AAA.BBB/20 network that are supposed to query the servers.
>>
>> Could I just configure BIND with "recursion yes;" (default) and then
>> prohibit the access in our firewall to only OUR customers, by allowing
>> only AAA.BBB/20 to access ns1 and ns2 on port 53, and deny all other
>> networks?
>>
>> Are there any security risks or other issues in this? I can't see any,
>> since only our customers on AAA.BBB/20 are able to query the servers..
>>
>> With kind regards,
>> Ronni
>>   
>>     
> Well if you want your servers to be authoritative for some external 
> zones you're going to have to let the world query your server to get at 
> those zones. You're best to set up ACLs and only allow your internal 
> network + customers to do recursive queries.
>
> Chris
>
>   



More information about the bind-users mailing list