On Fri, 2020-11-13 at 13:38 -0800, Jack Craig wrote:
> current named.conf
>
> options
> {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // "Working" directory
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> secroots-file "data/named.secroots";
> recursing-file "data/named.recursing";
>
> listen-on port 53 { any; };
> listen-on-v6 port 53 { any; };
>
> allow-transfer { 108.220.213.120/29; };
>
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
I found when I tried using forwarders, that all queries went to them,
not just the ones that the server couldn't answer for itself.
> controls {
>
> inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> };
>
> view "internal-lan-view"
> {
> match-clients { internals; };
>
> allow-recursion { internals; };
> allow-recursion-on { internals; };
>
> zone "linuxlighthouse.com" {
> type master;
> file "/var/named/internal.db";
> allow-query { internals; };
> };
> };
Above, you've used "match-clients," but haven't defined what
"internals" means (and I can't see "internals" listed as a predefined
term in the BIND docs).
e.g. acl "internals" { localhost; 192.168/16; 10.0/16; };
NB: "acl" needs to be defined outside of the views clause.
I believe "localhost" and/or "localnets" are predefined terms that
could be useful to you.
see: https://bind9.readthedocs.io/en/v9_16_6/reference.html
4.2.2. acl Statement Definition and Usage
The acl statement assigns a symbolic name to an address match list.
It gets its name from a primary use of address match lists: Access
Control Lists (ACLs).
The following ACLs are built-in:
"any" Matches all hosts.
"none" Matches no hosts.
"localhost" Matches the IPv4 and IPv6 addresses of all network
interfaces on the system. When addresses are added or removed, the
localhost ACL element is updated to reflect the changes.
"localnets" Matches any host on an IPv4 or IPv6 network for which the
system has an interface. When addresses are added or removed, the
localnets ACL element is updated to reflect the changes. Some systems
do not provide a way to determine the prefix lengths of local
IPv6 addresses; in such a case, localnets only matches the local IPv6
addresses, just like localhost.
(Their definition of localhost goes beyond the "localhost simply means
127.0.0.1" that we're used to with hostnames.)
> view "external-wan-view"
> {
> match-clients { any; };
> recursion no;
>
> allow-query { any; };
> allow-transfer { 108.220.213.120/29; };
>
> zone "linuxlighthouse.com" {
> type master;
> file "/var/named/linuxlighthouse.com.db";
> };
>
> zone "213.220.108.in-addr.arpa" {
> type master;
> file "/var/named/213.220.108.in-addr.arpa";
> };
> };
>
Since you've used "any" as a match, here, something else has to match
it before this clause, else this clause will always match it.
i.e. Your internal rules have to be first.
--
uname -rsvp
Linux 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
