Views and Blackhole

root net rootnet08 at gmail.com
Tue Nov 18 03:38:13 UTC 2008 

Hello,

I have a server I am testing before I put in production.  Working on a more
secure bind config.  BTW if anyone has any other suggestions on locking down
bind beside below and chroot let me know.  I was adding views which has been
debated time and time again whether or not it really helps but anyway.  My
problem is I have the latest bogons from team-cymru which includes my
internal network subnet 192.168.16.0/21.  So in the bogons list it says
192.168.0.0/16 which is blackholed.  So my local network is being blackholed
but it works fine when users not on the bogons query the server from the
external view.  My question is how can I get this to work without adding
each cidr block of the 192.168.0.0/16 separately or even breaking it up in
/21s? I have tried everything I know how.  A sanitized portion of my
named.conf is this:

//For length sakes I took out the other networks.....

acl i_lan { 127.0.0.1; 192.168.16.0/21};
acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
acl bogons { 0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    5.0.0.0/8;
    192.168.0.0/16;
    198.18.0.0/15;
    223.0.0.0/8;
    224.0.0.0/3;
};

options {
          version "Go Away";
          directory "/var/named";
          dump-file "/var/dump/named_dump.db";
          pid-file "/var/run/named/named.pid";
          statistics-file "/var/stats/named.stats";
          recursion no;
          allow-query { any; };
          listen-on { 127.0.0.1; 192.168.16.2;};
          recursive-clients 1000;
          tcp-clients 1000;
          auth-nxdomain yes;
          blackhole { bogons; };

view "internal" {
      match-clients { i_lan; };
      notify no;
      recursion yes;
      allow-transfer { i_dns;};
zone "localhost" {
      type master;
      file "localhost.zone";
};
zone "127.in-addr.arpa" {
      type master;
      file "localhost.zone";
};
zone "0.in-addr.arpa" {
      type master;
      file "named.zero";
};
zone "255.in-addr.arpa" {
      type master;
      file "named.broadcast";

// zones go here
};

view "external" {
      match-clients { !i_lan; any; } ;
      recursion no;
      allow-transfer { i_dns;};
// zones go here
};


Any help is appreciated and thanks in advanced.

RootNet08
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081117/519b358e/attachment.html>

More information about the bind-users mailing list