On Fri, Nov 13, 2020 at 10:12 PM Tim via users < users@lists.fedoraproject.org> wrote:
> On Fri, 2020-11-13 at 13:38 -0800, Jack Craig wrote: > > current named.conf > > > > options > > { > > // Put files that named is allowed to write in the data/ > directory: > > directory "/var/named"; // "Working" > directory > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > secroots-file "data/named.secroots"; > > recursing-file "data/named.recursing"; > > > > listen-on port 53 { any; }; > > listen-on-v6 port 53 { any; }; > > > > allow-transfer { 108.220.213.120/29; }; > > > > forwarders { > > 8.8.8.8; > > 8.8.4.4; > > }; > > I found when I tried using forwarders, that all queries went to them, > not just the ones that the server couldn't answer for itself. > > > > > controls { > > > > inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; > > }; > > > > view "internal-lan-view" > > { > > match-clients { internals; }; > > > > allow-recursion { internals; }; > > allow-recursion-on { internals; }; > > > > zone "linuxlighthouse.com" { > > type master; > > file "/var/named/internal.db"; > > allow-query { internals; }; > > }; > > }; > > Above, you've used "match-clients," but haven't defined what > "internals" means (and I can't see "internals" listed as a predefined > term in the BIND docs). > > e.g. acl "internals" { localhost; 192.168/16; 10.0/16; }; > > NB: "acl" needs to be defined outside of the views clause. > > I believe "localhost" and/or "localnets" are predefined terms that > could be useful to you. > > see: https://bind9.readthedocs.io/en/v9_16_6/reference.html > > 4.2.2. acl Statement Definition and Usage > > The acl statement assigns a symbolic name to an address match list. > It gets its name from a primary use of address match lists: Access > Control Lists (ACLs). > > The following ACLs are built-in: > > "any" Matches all hosts. > > "none" Matches no hosts. > > "localhost" Matches the IPv4 and IPv6 addresses of all network > interfaces on the system. When addresses are added or removed, the > localhost ACL element is updated to reflect the changes. > > "localnets" Matches any host on an IPv4 or IPv6 network for which the > system has an interface. When addresses are added or removed, the > localnets ACL element is updated to reflect the changes. Some systems > do not provide a way to determine the prefix lengths of local > IPv6 addresses; in such a case, localnets only matches the local IPv6 > addresses, just like localhost. > > (Their definition of localhost goes beyond the "localhost simply means > 127.0.0.1" that we're used to with hostnames.) > > > view "external-wan-view" > > { > > match-clients { any; }; > > recursion no; > > > > allow-query { any; }; > > allow-transfer { 108.220.213.120/29; }; > > > > zone "linuxlighthouse.com" { > > type master; > > file "/var/named/linuxlighthouse.com.db"; > > }; > > > > zone "213.220.108.in-addr.arpa" { > > type master; > > file "/var/named/213.220.108.in-addr.arpa"; > > }; > > }; > > > > Since you've used "any" as a match, here, something else has to match > it before this clause, else this clause will always match it. > > i.e. Your internal rules have to be first. > apologiese for cllipping the file,... */* LinuxLightHouse named.conf BIND DNS server 'named' configuration file for the Red Hat BIND distribution. */acl internals { 10.0.0.0/24 <http://10.0.0.0/24>; 127.0.0.0/8 <http://127.0.0.0/8>;};* options { // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // "Working" directory dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; secroots-file "data/named.secroots"; recursing-file "data/named.recursing"; listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-transfer { 108.220.213.120/29; }; allow-recursion { 10.0.0.0/24; }; /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ /* Enable serving of DNSSEC related data - enable on both authoritative and recursive servers DNSSEC aware servers */ dnssec-enable yes; /* Enable DNSSEC validation on recursive servers */ dnssec-validation yes; /* In Fedora we use /run/named instead of default /var/run/named so we have to configure paths properly. */ pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; managed-keys-directory "/var/named/dynamic"; /* In Fedora we use system-wide Crypto Policy */ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; /* use querylog all the time rndc */ querylog yes; }; include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; }; view "internal-lan-view" { match-clients { internals; }; allow-recursion { internals; }; allow-recursion-on { internals; }; allow-query { internals; }; zone "linuxlighthouse.com" { type master; file "/var/named/internal.db"; }; }; view "external-wan-view" { match-clients { any; }; match-destinations { any; }; recursion no; allow-query { any; }; allow-transfer { 108.220.213.120/29; }; zone "linuxlighthouse.com" { type master; file "/var/named/linuxlighthouse.com.db"; }; zone "213.220.108.in-addr.arpa" { type master; file "/var/named/213.220.108.in-addr.arpa"; };14-Nov-2020 05:04:11.931 query-errors: info: client @0x7f52380dc520 ::1#47114 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/NS at ../../../bin/named/query.c:7270 14-Nov-2020 05:06:54.149 query-errors: info: client @0x7f52381c9760 137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/ANY at ../../../bin/named/query.c:7270 14-Nov-2020 05:07:16.323 query-errors: info: client @0x7f52381c9760 184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270 14-Nov-2020 05:07:16.354 query-errors: info: client @0x7f52381c9760 184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270 14-Nov-2020 05:07:16.520 query-errors: info: client @0x7f52381c9760 184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at ../../../bin/named/query.c:7270 14-Nov-2020 05:07:25.119 query-errors: info: client @0x7f52381c9760 184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for www.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270 14-Nov-2020 05:03:32.658 general: info: managed-keys-zone/internal-lan-view: loaded serial 0 14-Nov-2020 05:03:32.658 general: info: managed-keys-zone/external-wan-view: loaded serial 0 14-Nov-2020 05:03:32.658 general: info: zone linuxlighthouse.com/IN/internal-lan-view: loaded serial 2020101601 14-Nov-2020 05:03:32.658 general: info: zone 213.220.108.in-addr.arpa/IN/external-wan-view: loaded serial 2020101601 14-Nov-2020 05:03:32.658 general: info: zone linuxlighthouse.com/IN/external-wan-view: loaded serial 2020101601 14-Nov-2020 05:03:32.658 general: notice: all zones loaded 14-Nov-2020 05:03:32.658 general: notice: running 14-Nov-2020 05:04:11.931 queries: info: client @0x7f52380dc520 ::1#47114 ( linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN NS +E(0)K (::1) 14-Nov-2020 05:06:54.149 queries: info: client @0x7f52381c9760 137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN ANY -E(0)D (10.0.0.101) 14-Nov-2020 05:07:16.323 queries: info: client @0x7f52381c9760 184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101) 14-Nov-2020 05:07:16.354 queries: info: client @0x7f52381c9760 184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101) 14-Nov-2020 05:07:16.520 queries: info: client @0x7f52381c9760 184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101) 14-Nov-2020 05:07:25.119 queries: info: client @0x7f52381c9760 184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view: query: www.linuxlighthouse.com IN A -E(0)D (10.0.0.101) 14-Nov-2020 05:04:11.931 client @0x7f52380dc520 ::1#47114 ( linuxlighthouse.com): view external-wan-view: query ' linuxlighthouse.com/NS/IN' denied 14-Nov-2020 05:06:54.149 client @0x7f52381c9760 137.226.113.35#18392 ( linuxlighthouse.com): view external-wan-view: query ' linuxlighthouse.com/ANY/IN' denied 14-Nov-2020 05:07:16.323 client @0x7f52381c9760 184.94.241.121#52528 ( linuxlighthouse.com): view external-wan-view: query ' linuxlighthouse.com/A/IN' denied 14-Nov-2020 05:07:16.354 client @0x7f52381c9760 184.94.241.121#10468 ( linuxlighthouse.com): view external-wan-view: query ' linuxlighthouse.com/A/IN' denied 14-Nov-2020 05:07:16.520 client @0x7f52381c9760 184.94.241.121#33732 ( ws.linuxlighthouse.com): view external-wan-view: query ' ws.linuxlighthouse.com/AAAA/IN' denied 14-Nov-2020 05:07:25.119 client @0x7f52381c9760 184.94.241.121#11455 ( www.linuxlighthouse.com): view external-wan-view: query ' www.linuxlighthouse.com/A/IN' denied ??? logging { channel default_debug { file "/var/log/named/named.run" versions 3 size 5m; ... *bind.x86_64 :9.11.23-1.fc32 *
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org