Hi, this is my first post here and I have quite an interesting problem at that!
I have migrated my DNS service from Debian Etch Linux to Sun Solaris 9 running
the Blastwave version of Bind9.
This is a bit hard to explain but basically as default DNS setup in Debian, it
installs root servers in which domains for which the server is not
authoritative for get resolved. Currently the setup works fine from within my
LAN or intranet so? that any queries from 192.168.0.0/23 networks resolve
perfectly ok as they should for WAN queries.
My issue is that I cannot seem to do the same from the other side of my
gateway! The gateway is NAt'ed and I've directed ports 53 for both tcp and udp
connections to the IP of the DNS server.
I have had this working before I decided to use views but now with the views in
place something is blocking lookups for external sources. This is my current
named.conf file:
<--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
// This is the primary configuration file for the BIND DNS server named.
//?????????????????????????????????????????????????????????????????????
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.???????????????????????????????????????????????
//????????????????????????????????????????????????????????????????????????
// If you are just adding zones, please do that in????????????????????????
//etc/bind/named.conf.local???????????????????????????????????????????????
acl internals {
??? 127.0.0.0/8;
??? 192.168.0.0/22;
};????????????????
include "/etc/opt/csw/bind/named.conf.options";
// View for internal clients
view "internal" {
??? match-clients { internals; };
??? allow-recursion {???????????
??????????????? 192.168.0.0/22;?
??????????????? 127.0.0.1;??????
??????????????? };??????????????
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912?????????????????????????????????????
//zone "localhost" {
//??????? type master;
//??????? file "/etc/opt/csw/bind/db.local";
//};???????????????????????????????????????
//zone "127.in-addr.arpa" {
//??????? type master;????
//??????? file "/etc/opt/csw/bind/db.127";
//};?????????????????????????????????????
//zone "0.in-addr.arpa" {
//??????? type master;??
//??????? file "/etc/opt/csw/bind/db.0";
//};???????????????????????????????????
//zone "255.in-addr.arpa" {
//??????? type master;????
//??????? file "/etc/opt/csw/bind/db.255";
//};?????????????????????????????????????
include "/etc/opt/csw/bind/named.conf.local";
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
};?????????????????????????????????????
// View for external clients
view "external" {
??? match-clients { any; !192.168.0.0/22; !127.0.0.1; };
??? allow-recursion {??????????????????????????????????
??????????????? 127.0.0.1;?????????????????????????????
??????????????? };?????????????????????????????????????
include "/etc/opt/csw/bind/named.conf.external";
};
// Everyone can view root servers
view "all" {
??? match-clients { any; };
??? allow-recursion {?????
??????????????? 192.168.0.0/22;
??????????????? 127.0.0.1;????
//????????????? any;??????????
??????????????? };????????????
??????? zone "." {
??????????????? type hint;
??????????????? file "/etc/opt/csw/bind/db.root";
??????? };
??????? zone "localhost" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.local";
??????? };
??????? zone "127.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.127";
??????? };
??????? zone "0.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.0";
??????? };
??????? zone "255.in-addr.arpa" {
??????????????? type master;
??????????????? file "/etc/opt/csw/bind/db.255";
??????? };
};
//rndc security
?key "rndc-key" {
?????? algorithm hmac-md5;
?????? secret "XigPbSdF3oVRXPzax+96xA==";
?};
?controls {
?????? inet 127.0.0.1 port 953
?????????????? allow { 127.0.0.1; } keys { "rndc-key"; };
?};
<--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
I tried switching the internal zones to a generic 'all' view which can be seen
by everybody but it didn't seem to work and I also had a go at allowing
recursion for 'all' for the hinted zone too which again didn't do anything.
Can anybody help me in allowing external users to be allowed to lookup all URLs
via the hinted zone with the root.db servers file in it??
And at the same time perhaps if I have left some parts (zones) open which I
shouldn't have either to secure the system a bit better??
Many thanks,
Kaya
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
