[Techtalk] bind gurus: restricting queries to your domain(s)
Evilpig
evilpig at gmail.com
Fri Aug 20 16:21:43 EST 2004
On Fri, 20 Aug 2004 13:45:30 -0700, Carla Schroder <carla at bratgrrl.com> wrote:
> Hiya,
>
> When you run a public BIND server for your domain, how do you restrict BIND
> to only accept queries for your domain, or domains? I've been looking at
> allow-query directives under Options, but I'm not sure that's the correct
> tool, or how to use it.
If I'm understanding you right, what you want to do is make it where,
for example, I can't ask your DNS server to resolve www.google.com;
instead you want to make it where I (or anyone else on the internet)
can only ask it to resolve whatever.carlasdomain.com and other
carlasdomain.com records.
If so, you should probably use allow-recursion to do that instead. If
you want to allow some recursive queries, but deny them in general,
you can write some ACLs and include them in the allow-recursion
statement like so:
acl "trustednet1" { 10.1.0.0/16; };
acl "trustednet2" { 192.168.25.0/24; };
acl "trustedhost" { 172.16.27.86; };
<later on in named.conf...>
# Perform recursive queries for these:
allow-recursion {
"trustednet1";
"trustednet2";
"trustedhost";
localhost;
};
You will then use the allow-query statement to allow anyone on the
internet to query for your domain's zone records like so:
zone "carlasdomain.com" {
type master;
file "db/carlasdomain.com.db";
allow-query { any; };
allow-transfer { "ns2"; }; # There would need to be an ACL for ns2
};
- Colleen
More information about the Techtalk
mailing list