A newbies Bind question

Peter Arends peter.arends at essexpost.com
Mon Feb 2 07:30:36 UTC 2009

In addition to these recommendation, you can use MAC filtering to restrict
This is ofcourse if you have a iptables based firewall with MAC module.


-----Original Message-----
From: bind-users-bounces at lists.isc.org
[mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jeff Lightner
Sent: den 1 februari 2009 15:16
To: Matthew Pounsett; Peter Privat
Cc: bind-users at lists.isc.org
Subject: RE: A newbies Bind question

You can allow recursion (and caching)for specific (as opposed to all)
IPs external to your setup but its generally not a good idea unless
these IPs are static and trusted by you.  If your "friends" are using
ISPs they're almost certainly getting DHCP provided IPs (meaning
random).  You don't want to allow that kind of traffic into your system.

If you still want to use it despite the above you can add the following
to your named.conf's options section:

        allow-query { internaldns; externaldns; };
        allow-recursion { internaldns; externaldns; };

Then create acls for internaldns and externaldns:

acl "internaldns" {
        x.x.x.x; x.x.x.x;;

acl "externaldns" {
        x.x.x.x; x.x.x.x; 

Where x.x.x.x are the IPs you want to allow.

-----Original Message-----
From: bind-users-bounces at lists.isc.org
[mailto:bind-users-bounces at lists.isc.org] On Behalf Of Matthew Pounsett
Sent: Saturday, January 31, 2009 1:37 PM
To: Peter Privat
Cc: bind-users at lists.isc.org
Subject: Re: A newbies Bind question

On 31-Jan-2009, at 13:24, Peter Privat wrote:

> My question:
> Is it possible for my friends out there somewhere in cybespace to  
> also use my DNS server by entering its IP their DNS settings?
> So far I haven't managed to make it work. If another computer  
> somewhere out there in the cloud is entering the IP of my private  
> DNS server into their internet settings, they are not able to use  
> that DNS server. It doesn't provide DNS at all. Seems like it is  
> blocked or doesn't allow computers that is not on the same subnet,  
> or something. Is there a configuration that I've missed? How do the  
> ISP's make their DNS servers usable for everyone?

By default, BIND blocks IP addresses that aren't on a local network  
from using it for recursion.  Setting up an open DNS server which  
permits anyone to use it creates an easy vector for your DNS server to  
be used in Denial of Service attacks, so the default is to be  
completely closed.    It is not recommended to open up your DNS server  
to the world.  If your friends have static IP addresses (i.e. the IP  
addresses of their computers aren't ever changed by their ISP) then  
you can allow them in using the 'allow-query' and 'allow-recursion'  

There's HTML documentation for the 'options' grammar at
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you
have received this electronic transmission in error, please reply
immediately to the sender that you have received the message in error, and
delete it. Thank you.
bind-users mailing list
bind-users at lists.isc.org

More information about the bind-users mailing list