<div dir="ltr">The server I really need this for is a little more complex. I was just trying for a simple test case.<div><br></div><div>Here are more details on my plans to actually use "allow-query-on". Two DNS servers, one only for the data centers, and another for the users, but also as backup for the data center.</div>
<div><br></div><div>DNS resolver for data center has these relevant settings in named.conf:</div><div><div>(has data center DNS resolver IP)</div><div>acl DATACENTER { ... data center subnets ... };</div><div>options { allow-query { any; } ; </div>
<div> allow-recursion { any; } ;</div><div> recursion yes;</div></div><div>};</div><div><div>view "datacenter" {</div><div> match-clients { DATACENTER; };</div></div><div>... my zones ....</div><div>};</div>
<div><br></div><div>DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.)</div><div>(has both user DNS resolver IP and data center DNS resolver IP)</div><div><div>options {</div>
</div><div><div> allow-query { any; } ; </div><div> allow-recursion { any; } ;</div><div> recursion yes;</div></div><div><div>};</div></div><div>view "datacenter" {<br></div><div>match-clients { DATACENTER; };<br>
</div><div>allow-query-on { data center resolver ip };</div><div>... my zones ...</div><div>};</div><div>view "users" {</div><div>match-clients { "any"; };<br></div><div>allow-query-on { user resolver ip };<br>
</div><div>... my zones ...</div><div>};</div><div><br></div><div>I don't want users trying to use the data center resolver IP. Without the "allow-query-on", it would work for them if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users.</div>
<div><br></div><div>(Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.)</div><div>The authoritative servers are a separate set of servers, not using anycast, not involved in this.</div>
<div><br></div><div class="gmail_extra"><div>-- <br>Bob Harold<br>DNS Hostmaster</div><div>University of Michigan</div>
<br><br><div class="gmail_quote">On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald <span dir="ltr"><<a href="mailto:h.reindl@thelounge.net" target="_blank">h.reindl@thelounge.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Am 02.07.2014 17:08, schrieb Bob Harold:<br>
<div class="">> I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:<br>
><br>
> allow-query-on { 127.0.0.1; };<br>
><br>
> To the default /etc/bind/named.conf.options file.<br>
> That should make it only answer queries sent to 127.0.0.1, and not<br>
> answer queries sent to the server's normal IP.<br>
> But it seems to have no effect<br>
<br>
</div>why just listening on a interface you don#t want to<br>
answer from and so accept packets at all?<br>
<br>
listen-on {any;};<br>
listen-on {127.0.0.1;};<br>
listen-on {127.0.0.1; 192.168.196.2;};<br>
<br>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br></div></div>