Problem with Views and restricting recursive queries --Help!

Chris Dibble Chris.Dibble at gov.ab.ca
Fri Dec 7 22:26:14 UTC 2007


Hello, I had posted about a problem I was having with regards to
restricting recursion to a certain view earlier, but I am no closer to
finding out what is wrong.. Version: BIND 9.2.2.P1
Below is basically a stripped down copy of our config for one of our
secondary DNS server (the one I can mess with!). . . We are trying to
implement two views, a public and a private one. It is prefered that
people that fall into the public category do not have the ability to see
our private zones or perform recursive queries at all. 

Our intention is to restrict lookups for anyone not on our ACL_TRUSTED
acl.. The two requirements are the following:

-anyone defined in ACL_TRUSTED should have access to our INTERNAL zones:
'ourdomain' and *also* all INTERNET zones as well. Also, must need to be
able to perform recursive queries (ie: google.com)

-everyone else (non trusted) should only be able to see INTERNET zones:
'ourwebsite', etc.. and no ability to recurse (Query refused) if its not
one of the INTERNET zones...

I was hoping that in the below scenario, ACL_TRUSTED would match in both
INTERNAL and INTERNET views giving full access, and everyone else just
INTERNET. I thought I would turn off recursion by default and then use
the allow-recursion clause to override for ACL_trusted ip's but it does
not seem to work. My guess is when it 'hits' the INTERNET view, it says
recursion no. help!!

So my question is if there is something I am doing wrong or if there is
a better way to do this. I'd hate to have to copy and paste all the
INTERNET zones into the INTERNAL one, that would be nuts! :) Anyhelp
would be a godsend!! Thanks in advance!


Here is a smaple of our config:

------------------------------------------------------------------------
------------


//define trusted IP's

acl ACL_TRUSTED {
	118.229.0.0/16; 198.213.0.0/16;    //etc.. Etc..
};


options {
	directory "/etc/named.zone";

	recursive-clients 2000;

	transfer-source 145.229.194.2;

	additional-from-cache no;

	recursion no;				//turn off recursion by
default

	allow-recursion { acl_trusted; };	//?? Override and let
trusted recurse -- **doesn't work**
};


view "INTERNAL" IN {
	match-clients { ACL_TRUSTED; } ;

	//** if we are 'trusted' then give me recursion!
	recursion yes;				
        
	zone "ourdomain" {
		type slave;
		file "slave/ourdomain.private";
		masters { 199.161.6.8; };
		allow-transfer { 199.161.6.8; };
	};
};


view "INTERNET" IN {
	match-clients { any; };
	
	//**tried the two lines below just to test, but it did not work.
	//**the recursion no would turn it OFF for everyone, even
trusted people.. why??!!
	
	recursion no;
	allow-recursion { ACL_TRUSTED; };


	zone "0.0.127.in-addr.arpa" {
        	type master;
        	file "arpa.127.0.0";
	};

	zone "ourwebsite.com" {
		type slave;
        	file "slave/website.public";
        	masters { 199.161.6.8; };
        	allow-transfer { 199.161.6.8; };
	};


	//**LOTS of public zones here**
};

------------------------------------------------------------------------
--------

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.




More information about the bind-users mailing list