BIND with ACLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Dear Friends,
I created um DNS server for network Internal and External same SERVER, but the control by ACLs in named.conf don't work, when I active ACLs the server don't resoluction external domain names. 

Please, check NAMED.CONF file.

//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named/";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;


        allow-query {
                127.0.0.1/32;
                192.168.1.0/24;
                200.245.88.23/32;
                200.162.222.37/32;};

        allow-transfer { 127.0.0.1/32;
                    192.168.1.0/24;
                    200.162.222.37/32;
                    195.20.105.149/32;
                    193.111.27.194/32;
                    194.145.96.21/32;
                    193.23.158.13;};

        allow-recursion { 127.0.0.1/32;
                    192.168.1.0/24;
                    200.162.222.37/32;};

//        allow-notify { 127.0.0.1/32;
//                    200.245.88.23/32;};

};
// LOG
logging {
   channel query-log {
      file "/var/named/data/query-log" versions 5 size 50m;
   };
   category queries { query-log; };
};

acl internals {
                192.168.1/24;
                127/8;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 port 953 allow { localhost; } keys { rndckey; };
};

view "external" {
    match-clients { any; };
    recursion no;

zone "conntrust.com" IN {
        type master;
        file "conntrust.com.hosts";
        allow-update {none;};
        allow-query {any;};
        allow-transfer {any;};
};


zone "whitelist.conntrust.com" IN {
        type master;
        file "whitelist.conntrust.com.hosts";
        allow-update {none;};
        allow-query {any;};
        allow-transfer {any;};
};

}; //acl external

view "internal" {
    match-clients { internals; };
    recursion yes;



zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
//      allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
//      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
//      allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 
        type master;
        file "named.ip6.local";
//      allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
//      allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
//      allow-update { none; };
};


    zone "conntrust.com" IN {
        type master;
        file "internal.conntrust.com.hosts";
      allow-update { internals; };

    };


}; // acl internal

include "/etc/rndc.key";


Thanks


Adriano




_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux