Issues with loop

Jeff Lightner jlightner at water.com
Fri Jul 11 15:58:51 UTC 2008


We just did this.

In the options section of named.conf we added:
allow-query { internaldns; externaldns; };
allow-recursion { internaldns; externaldns; };

internaldns and externaldns our ACLs of system we wish to allow - we
have specific IPs and IP ranges internal to our network such as:

acl "internaldns" { 10.0.9.44; 10.0.9.44; 10.0.16/22; 10.0.11/22;
10.0.19/22; 127.0.0.1;
};

The externaldns would be specific internet addresses to which we want to
allow same capability as the internal networks.  (Of course you don't
really have to have two ACLs - you could all of them in a single acl.)

The above takes care of cache lookups and recursion from people you
don't allow.

Then add the following to each zone file designation:
allow-query { any; };

That allows anyone to query the zones for which your server is
authoritative.  (Don't forget to do same on secondary/slave servers'
named.conf as well.)

This information was gleaned from the list at the end of last month and
works like a champ.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Jonathan Petersson
Sent: Thursday, July 10, 2008 10:06 PM
To: Bind-Users List
Subject: Issues with loop

Hi everyone.

I recently took a couple of new DNS servers online and have stumbled
upon an issue. These servers are hosting a couple of reverse zones and
allows recursive lookup for our own external networks. This seams to
cause a loop when looking up records of the hosted zones.

Could anyone recommend another approach to allow recursive lookups for
known networks and still only allow queries for the authoritative
zones to the rest of the Internet?

(The networks in this config is not ours)

Thanks

options {
        query-source address * port 53;

        directory "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        version "surely you must be joking";

        allow-transfer {
                127.0.0.1;
                123.123.123.123;
        };

        querylog yes;

};

logging {
        channel default_debug {
                file "/var/log/named.run";
                severity dynamic;
        };

        channel query_log {
                file "/var/log/querylog" versions 3 size 40m;
                print-time yes;
        };

        category queries { query_log; };
};

view "known" {
        match-clients {
                127.0.0.1;
                122.0.0.0/24;         # Allowed network
        };

        recursion yes;

        include "/etc/named.root.hints";
        include "/etc/named.rfc1912.zones";
};

view "all" {
        match-clients { any; };
        recursion no;

     zone "0.0.122.in-addr.arpa" IN {
          type slave;
          file "slaves/122.0.0";
          masters { 123.123.123.123; };
     };
};
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


More information about the bind-users mailing list