[Techtalk] bind gurus: restricting queries to your domain(s)

[Evilpig]

On Fri, 20 Aug 2004 13:45:30 -0700, Carla Schroder <carla at bratgrrl.com> wrote:
> Hiya,
> 
> When you run a  public BIND server for your domain, how do you restrict BIND
> to only accept queries for your domain, or domains? I've been looking at
> allow-query directives under Options, but I'm not sure that's the correct
> tool, or how to use it.
 
If I'm understanding you right, what you want to do is make it where,
for example, I can't ask your DNS server to resolve www.google.com;
instead you want to make it where I (or anyone else on the internet)
can only ask it to resolve whatever.carlasdomain.com and other
carlasdomain.com records.

If so, you should probably use allow-recursion to do that instead.  If
you want to allow some recursive queries, but deny them in general,
you can write some ACLs and include them in the allow-recursion
statement like so:

acl "trustednet1" { 10.1.0.0/16; };
acl "trustednet2" { 192.168.25.0/24; };
acl "trustedhost" { 172.16.27.86; };

<later on in named.conf...>

# Perform recursive queries for these:
allow-recursion {
        "trustednet1";
        "trustednet2";
        "trustedhost";
         localhost;
};


You will then use the allow-query statement to allow anyone on the
internet to query for your domain's zone records like so:

zone "carlasdomain.com" {
        type master;
        file "db/carlasdomain.com.db";
        allow-query { any; };
        allow-transfer { "ns2"; };    # There would need to be an ACL for ns2
};

- Colleen