LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-04-2014, 12:58 AM   #1
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Rep: Reputation: Disabled
Include file into bind acl directive !!


Can i include file in bind acl {} directive? I need to include 1800+ ip prefixes into acl for directing their traffic to specific server using bind. I want to put those prefixes into a file and include it into acl. Like following

acl "caching" {
inlcude "/etc/prefixes"
};
But it gives the following error and bind doesn't start :-

Error in named configuration:
/etc/named.conf:45: missing ';' before '"'

FILE :-

/etc/prefixes :-

1.1.1.1/8;
10.2.5.1/24;
 
Old 07-04-2014, 03:44 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Quote:
Can i include file in bind acl {} directive?
You can't

What you can do, if you don't want to bloat named.conf with the 1800+ IPs, is to create the file /etc/prefixes containing the the acl name and the 1800+ IPs, like:
Code:
acl caching {
1.1.1.1/8;
10.2.5.1/24;
};
and use that acl inside another acl in named.conf:
...
Code:
acl blah {
 caching;
};
Regards
 
Old 07-07-2014, 04:11 PM   #3
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
@bathody thanks. I have configured the acl, i have another issue now.I am trying to configure master/slave bind with view directives. I have two VIEW directives for same zone, one for local ISP clients(INTERNAL) and other for EXTERNAL(ANY REQUESTS). Slave is fetching the zones from master, but both internal and external zones contain the same contents (the contents of EXTERNAL). Following is the configuration on master/slave :-

MASTER :-

view "tw" {
match-clients { tw; };
zone "files.com" {
type master;
file "tw.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";


};

view "external" {
match-clients { any; };

zone "files.com" {
type master;
file "files.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";



};


include "/var/named/tw-prefixes";

acl "tw" {
caching;
};




options {
listen-on port 53 { 192.123.42.81; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
// allow-query-cache { none; };
allow-transfer {192.123.42.84;};
recursion no;


SLAVE :-

view "tw" {
match-clients { tw; };

allow-query { any; };
zone "files.com" {
type slave;
masters {192.123.42.81;};
file "slaves/tw.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";



};

view "external" {
match-clients { any; };
allow-query { any; };
zone "files.com" {
type slave;
masters {192.123.42.81;};
file "slaves/files.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";



};


include "/var/named/tw-prefixes";

acl "tw" {
caching;
};





options {
listen-on port 53 { 192.123.42.84; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
// allow-query-cache { none; };
recursion no;
 
Old 07-08-2014, 12:23 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Hi.

I've answered your other post here.
Please don't cross-post.
 
1 members found this post helpful.
Old 07-08-2014, 12:29 AM   #5
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Yes bathory, i am sorry for it. I've fixed it. I'll be careful next time.

Last edited by shahzaibcb; 07-08-2014 at 12:32 AM.
 
Old 07-10-2014, 12:45 AM   #6
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
@Bathody, my DNS is live now. I have added my local client machine's public ip in bind caching acl to route my client's ip to specific server. Now when i ping to the domain. It doesn't resolve into any ip and /var/log/messages show the following ip instead my modem's ip is 39.2.4.32.

Jul 10 01:42:41 dns named[812]: client 182.190.0.21#35126: view external: query (cache) 'domain.files.com/A/IN' denied


it is trying to resolve my ip to the external zone. Why the ip is wrong in logs? There should be my modem's ip.

view "tw" {
match-clients { caching; };
zone "files.com" {
type master;
file "files.com.tw";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";



};

acl "caching" {
39.0.0.0/8;

};


options {
listen-on port 53 { 210.22.172.81; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { none; };


I am not getting the issue here. :-(

Regards.
 
Old 07-10-2014, 01:59 AM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Quote:
it is trying to resolve my ip to the external zone. Why the ip is wrong in logs? There should be my modem's ip.
I don't know. It's clearly a networking issue. Using that IP it falls into external view, so it denies query.
You can add that IP (or subnet) in the caching ACL, so it works as expected.
 
Old 07-10-2014, 05:36 AM   #8
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
This is the problem http://backreference.org/2010/02/01/...dns-with-bind/

Note that our DNS server will almost never be queried directly by the end clients that need to access the service; rather, it will be queried by other DNS servers that want to resolve the names on behalf of their clients. However, it's reasonable to assume that end clients will generally be using DNS servers that are geographically close to them (for example, their company's or their ISP's DNS). Sure, there will be exceptions, but the worst that can happen is that, say, an asian client is sent to the european server, for example, so it's not really something to worry about, and geoIP information cannot be 100% accurate anyway, so those things would probably happen in any case.

I am trying to route public ips towards the acl rather it should be DNS servers.
 
Old 07-10-2014, 10:58 AM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
What problem? If you're trying to implement geoIP, follow the instructions and you'll be ok.
 
Old 07-10-2014, 11:17 AM   #10
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Well, i am not sure to call it GEOIP. Maybe, you can call it ISP based caching. Because, we only need to route those ip prefixes towards the local caching server(located in ISP) which are provided by our ISP(located in local country) and route the rest to the main servers located in U.S. Can bind work with 2000+ ip Prefixes ? We need to route requests coming from 2000+ ip prefixes CIDR notations using bind VIEW clause towards the local caching server's ip.
 
Old 07-10-2014, 12:52 PM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Quote:
Originally Posted by shahzaibcb View Post
Well, i am not sure to call it GEOIP. Maybe, you can call it ISP based caching. Because, we only need to route those ip prefixes towards the local caching server(located in ISP) which are provided by our ISP(located in local country) and route the rest to the main servers located in U.S. Can bind work with 2000+ ip Prefixes ? We need to route requests coming from 2000+ ip prefixes CIDR notations using bind VIEW clause towards the local caching server's ip.
I don't think that there should be a problem, given that you have enough memory available.
Bind loads everything in memory when it starts, so those 2000+ ips could consume a lot of RAM
 
Old 07-10-2014, 01:22 PM   #12
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
When i remove or add some ip prefix into the file which is included in acl {}. The changes doesn't occur instead i have to reboot the openvz container 3~4 times in order for changing to take effect. What could be the issue, rndc flush, rndc reload etc are not helping here.
 
Old 07-10-2014, 02:23 PM   #13
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
@bathody, that is the exact problem i am having :-

http://www.linuxquestions.org/questi...ip-4175496376/
 
Old 07-11-2014, 12:23 AM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,200
Blog Entries: 1

Rep: Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058Reputation: 2058
Quote:
Originally Posted by shahzaibcb View Post
@bathody, that is the exact problem i am having :-

http://www.linuxquestions.org/questi...ip-4175496376/
D'oh, I cannot understand your problem. If I configure the google dns (8.8.8.8) as my resolver, you'll see the query coming from it when I'll try to resolve your domain

Last edited by bathory; 07-11-2014 at 12:30 AM.
 
Old 07-11-2014, 07:43 AM   #15
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
you're right. Is there a way i can overcome this problem ? We need to cache videos on our local caching server in ISP. Only way i know, is to route requests coming from ISP ip prefixes towards the local caching server.

Do you have better solution for caching ? I can't use geoip caching cause its on region/country base. Our ISP doesn't allow any other ip to watch the cached content from their caching Server. So i need to be more specific for caching.a
 
  


Reply

Tags
acl, bind, linux, view


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: how to include last page served in a RewriteCond directive Didier Spaier Linux - Software 0 02-09-2014 12:45 PM
Beginning C programming- exceptions to whitespace irrelevant? include directive keithostertag Programming 3 02-01-2012 01:06 PM
Why does the ACL of a file created under a directory differ from the default ACL sctebnt Linux - Security 5 12-02-2011 08:13 AM
[Maybe redundant] main.cpp:1:18: warning: extra tokens at end of #include directive pycoucou Programming 2 10-26-2004 09:57 AM
%include directive in Kickstart configuration file deepika Linux - Newbie 0 07-24-2003 05:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration