Re: Cannot get "allow-query-on" to work
> I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> allow-query-on { 127.0.0.1; };
Please upgrade your BIND. There was a bug in allow-query-on that was
fixed since 9.8.6rc2.
Please note that currently allow-query-on is only used for "zone"
configurations. Use allow-cache-on if restricting accessing cache (or
allow-recursion-on like you also used).___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get "allow-query-on" to work.
"listen-on" defaults to all the computer's IPv4 addresses, including the
loopback, so I did not put an explicit "listen-on" statement. It answers
queries to both the loopback and other addresses.
--
Bob Harold
DNS hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald wrote:
> Did you specify 127.0.0.1 in the "listen-on" options statement?
>
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
>
> > allow-query-on { 127.0.0.1; };
>
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not answer
> > queries sent to the server's normal IP. But it seems to have no effect.
>
> > I have tried putting the computer's real IP in there instead - same
> results
> > - both IP's answer queries.
>
> > I have tried the similar "allow-recursion-on" option and that works as
> > documented.
>
> > Any clue how to get "allow-query-on" to work?
> > Searching the mail archives and Google did not find anything - but it is
> > hard to filter on just "allow-query-on" as a complete string.
> > Has anyone even used that option?
>
> > --
> > Bob Harold
> > DNS hostmaster
> > University of Michigan
>
> Regards,
>
> Bob
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
re: Cannot get "allow-query-on" to work.
Did you specify 127.0.0.1 in the "listen-on" options statement?
> I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> allow-query-on { 127.0.0.1; };
> To the default /etc/bind/named.conf.options file.
> That should make it only answer queries sent to 127.0.0.1, and not answer
> queries sent to the server's normal IP. But it seems to have no effect.
> I have tried putting the computer's real IP in there instead - same
results
> - both IP's answer queries.
> I have tried the similar "allow-recursion-on" option and that works as
> documented.
> Any clue how to get "allow-query-on" to work?
> Searching the mail archives and Google did not find anything - but it is
> hard to filter on just "allow-query-on" as a complete string.
> Has anyone even used that option?
> --
> Bob Harold
> DNS hostmaster
> University of Michigan
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get "allow-query-on" to work
personally i would not mix that and have own virtual servers
and control the reachability via iptables, the servers
can act as slave/master where needed so that the datacenter
nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's
some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature
Am 02.07.2014 18:18, schrieb Bob Harold:
> The server I really need this for is a little more complex. I was just
> trying for a simple test case.
>
> Here are more details on my plans to actually use "allow-query-on". Two DNS
> servers, one only for the data
> centers, and another for the users, but also as backup for the data center.
>
> DNS resolver for data center has these relevant settings in named.conf:
> (has data center DNS resolver IP)
> acl DATACENTER { ... data center subnets ... };
> options {allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> ... my zones
> };
>
> DNS resolver for users, but also backup resolver for the data center: (There
> are actually two of these.)
> (has both user DNS resolver IP and data center DNS resolver IP)
> options {
> allow-query { any; } ;
> allow-recursion { any; } ;
> recursion yes;
> };
> view "datacenter" {
> match-clients { DATACENTER; };
> allow-query-on { data center resolver ip };
> ... my zones ...
> };
> view "users" {
> match-clients { "any"; };
> allow-query-on { user resolver ip };
> ... my zones ...
> };
>
> I don't want users trying to use the data center resolver IP. Without the
> "allow-query-on", it would work for them
> if the anycast path reached the user resolver, but not if it reached the data
> center resolver. That confuses users.
>
> (Actually, both data center and users have two anycast resolver IP's each, so
> double the above sets of servers.)
> The authoritative servers are a separate set of servers, not using anycast,
> not involved in this.
>
> On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald > wrote:
>
>
> Am 02.07.2014 17:08, schrieb Bob Harold:
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> >
> > allow-query-on { 127.0.0.1; };
> >
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not
> > answer queries sent to the server's normal IP.
> > But it seems to have no effect
>
> why just listening on a interface you don#t want to
> answer from and so accept packets at all?
>
> listen-on {any;};
> listen-on {127.0.0.1;};
> listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get "allow-query-on" to work
The server I really need this for is a little more complex. I was just
trying for a simple test case.
Here are more details on my plans to actually use "allow-query-on". Two
DNS servers, one only for the data centers, and another for the users, but
also as backup for the data center.
DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view "datacenter" {
match-clients { DATACENTER; };
... my zones
};
DNS resolver for users, but also backup resolver for the data center:
(There are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view "datacenter" {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view "users" {
match-clients { "any"; };
allow-query-on { user resolver ip };
... my zones ...
};
I don't want users trying to use the data center resolver IP. Without the
"allow-query-on", it would work for them if the anycast path reached the
user resolver, but not if it reached the data center resolver. That
confuses users.
(Actually, both data center and users have two anycast resolver IP's each,
so double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.
--
Bob Harold
DNS Hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald
wrote:
>
> Am 02.07.2014 17:08, schrieb Bob Harold:
> > I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> >
> > allow-query-on { 127.0.0.1; };
> >
> > To the default /etc/bind/named.conf.options file.
> > That should make it only answer queries sent to 127.0.0.1, and not
> > answer queries sent to the server's normal IP.
> > But it seems to have no effect
>
> why just listening on a interface you don#t want to
> answer from and so accept packets at all?
>
> listen-on {any;};
> listen-on {127.0.0.1;};
> listen-on {127.0.0.1; 192.168.196.2;};
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get "allow-query-on" to work
Am 02.07.2014 17:08, schrieb Bob Harold:
> I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
>
> allow-query-on { 127.0.0.1; };
>
> To the default /etc/bind/named.conf.options file.
> That should make it only answer queries sent to 127.0.0.1, and not
> answer queries sent to the server's normal IP.
> But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
