Hi,

Newbie here, 2 days on Redhat 9. Tripping along thru the docs ( ) , got DHCP up, and DNS 95%, NAT is next.

Can anyone pls tell me the proper syntax of 'acl' so I get my DNS running properly? I am using acl statements to limit access to the zones on my DNS server. What is the proper syntax to refer to all possible externals IPs?

acl internals { 192.168.1.0/24; 127.0.0.0/24; };
acl externals { ?????? };

Currently I have only my ISP's DNS servers, and a friend's DNS in my acl externals statement. So only they can get queries and transfers from the relevant zone on my DNS. I want to be able to answer everyone's DNS requests about my Domain Name.

Thanks Much,
Al


PS - Sorry if this is already covered elsewhere here ... YOU => , ME =>

If it hasn't already been covered ... YOU => , ME =>

acl in named.conf ?? i didnt heard anything like this b4.
bind allows everybody to use your nameserver to resolve domain names. also it answers every query if your domain records are asked .

check your firewall. maybe it blocks the queries.

Here are some logs from /var/log/messages

Aug 28 01:43:07 teclis named[2833]: client w.x.y.z#3398: query 'blah.com/IN' denied
Aug 28 01:43:07 teclis named[2833]: client w.x.y.z#3399: query 'blah.com/IN' denied

named is blocking it. It is the acl statements, bcs my ISP DNS couldn't connect until I added them. It makes it easy to prevent inside LAN type info/stuff going out to an external request.

I just need the syntax of the IP '/'-notation for all addresses. Or the notation of a range (incase acl doesn't allow overlaps).

I am still tweaking things ... and so at this time the firewall is fully off.

try this:

zone "blah.com" IN {
type master;
file "blah.com.zone";
allow-update { w.x.y.z; };

let me know if it fixed please.

by the way, it seems that client w.x.y.z wants to update zone file of "blah.com". do u have secondary nameserver at w.x.y.z ?

I am already doing that, and those specifically listed IPs work. I need the syntax used to include all IPs total just like 192.168.1.0/24 is used to specify all IPs from 192.168.1.0 thru 192.168.1.255.


here is part if my named.conf:

acl externals { external IP1; external IP2; ISP DNS IP1; ISP DNS IP2; ISP DNS IP3; };
acl internals { 192.168.1.0/24; 127.0.0.0/24; };

options {
directory "/var/named/";
pid-file "named.pid";
query-source address * port 53;
forward only;
forwarders { ISP DNS IP1; ISP DNS IP2; IPS DNS IP3; };
allow-transfer { none; };
allow-query { internals; externals; };
allow-recursion { internals; };
};

zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.zone";
allow-query { internals; };
allow-transfer { internals; };
notify no;
};
zone "blah.com" {
type master;
file "blah.com.zone";
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};

sorry ... wasn't specific enough

w.x.y.z could be anyone on the internet. A DNS server out there trying to get the info about my domain name.

hmmm.

zone "blah.com" {
type master;
file "blah.com.zone";
forwarders { };
allow-query { internals; externals; };
allow-transfer { internals; };
};

i think the trouble is
allow-transfer { internals; };

let everybody to transfer your zone file. i am not sure but i think this is necessary to publish "blah.com" . and by the deafult it allows everybody.

if u change

options{
..
forward only;

to
forward first;

your nameserver caching will run. so it wont ask every query to your ISP nameserver.

thx for the tip on the forwarding!!

exactly ... I want everyone to able go get access to that zone. I have added 'external' to 'allow transfers'. Thx

The problem is that I need to declare 'externals' to be all IPs ... ie 0.0.0.0 to 255.255.255.255, or 0.0.0.0 to 192.168.0.255 and 192.168.2.0 to 255.255.255.255 (if BIND doesn't handle overlaps in acl statements too well).

hi,

you probably want to use the predefined 'any' acl if you are hosting the domain and want anybody to be able request resource records for it :

zone "blah.com" {
type master;
file "blah.com.zone";
allow-query { any; };
allow-transfer { internals; };
};

allow-transfer is only really useful for secondary (type slave nameservers so they can transfer the zone off your primary - I'd set it to :

allow-transfer { none; };

... try making use of the predefined acl's if they already do what you need them to - makes your config a little cleaner :

[from http://www.zytrax.com/books/dns/ch7/acl.html ]

* "none" - matches no hosts
* "any" - matches all hosts
* "localhost" - matches all the IP address(es) of the server on which BIND is running
* "localnets" - matches all the IP address(es) and subnetmasks of the server on which BIND is running

Not sure how 'localnets' is affected if you are running a PPP/IPPP/TUN adapter etc - haven't ever used it with dynamic interfaces.

hope that helped.

1 members found this post helpful.

dont declare acl for allow-transfers. just remove the "allow-transfers" lines
in "options { ..." section, and in "zone "blah.com" {..." section.

bind will allow everybody to transfer zone files by default.

u can also block unwanted net activity with iptables . u dont have to configure named acl's.

BINGO!!!

I was trying 'all' and named wouldn't start. The prospect of putting in { 0.0.0.0/8; 1.0.0.0/8 ... 255.0.0.0/8 } was just down right scary.

thx for the secondary/transfer tip too!

THANKS MUCH!!!

by the way, knowledge is not far from u. it already comes with linux check the man pages of named for more detail about configuration.

man named
man named.conf