On Fri, Nov 13, 2020 at 10:12 PM Tim via users <
users@lists.fedoraproject.org> wrote:
> On Fri, 2020-11-13 at 13:38 -0800, Jack Craig wrote:
> > current named.conf
> >
> > options
> > {
> > // Put files that named is allowed to write in the data/
> directory:
> > directory "/var/named"; // "Working"
> directory
> > dump-file "data/cache_dump.db";
> > statistics-file "data/named_stats.txt";
> > memstatistics-file "data/named_mem_stats.txt";
> > secroots-file "data/named.secroots";
> > recursing-file "data/named.recursing";
> >
> > listen-on port 53 { any; };
> > listen-on-v6 port 53 { any; };
> >
> > allow-transfer { 108.220.213.120/29; };
> >
> > forwarders {
> > 8.8.8.8;
> > 8.8.4.4;
> > };
>
> I found when I tried using forwarders, that all queries went to them,
> not just the ones that the server couldn't answer for itself.
>
>
>
> > controls {
> >
> > inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> > };
> >
> > view "internal-lan-view"
> > {
> > match-clients { internals; };
> >
> > allow-recursion { internals; };
> > allow-recursion-on { internals; };
> >
> > zone "linuxlighthouse.com" {
> > type master;
> > file "/var/named/internal.db";
> > allow-query { internals; };
> > };
> > };
>
> Above, you've used "match-clients," but haven't defined what
> "internals" means (and I can't see "internals" listed as a predefined
> term in the BIND docs).
>
> e.g. acl "internals" { localhost; 192.168/16; 10.0/16; };
>
> NB: "acl" needs to be defined outside of the views clause.
>
> I believe "localhost" and/or "localnets" are predefined terms that
> could be useful to you.
>
> see: https://bind9.readthedocs.io/en/v9_16_6/reference.html
>
> 4.2.2. acl Statement Definition and Usage
>
> The acl statement assigns a symbolic name to an address match list.
> It gets its name from a primary use of address match lists: Access
> Control Lists (ACLs).
>
> The following ACLs are built-in:
>
> "any" Matches all hosts.
>
> "none" Matches no hosts.
>
> "localhost" Matches the IPv4 and IPv6 addresses of all network
> interfaces on the system. When addresses are added or removed, the
> localhost ACL element is updated to reflect the changes.
>
> "localnets" Matches any host on an IPv4 or IPv6 network for which the
> system has an interface. When addresses are added or removed, the
> localnets ACL element is updated to reflect the changes. Some systems
> do not provide a way to determine the prefix lengths of local
> IPv6 addresses; in such a case, localnets only matches the local IPv6
> addresses, just like localhost.
>
> (Their definition of localhost goes beyond the "localhost simply means
> 127.0.0.1" that we're used to with hostnames.)
>
> > view "external-wan-view"
> > {
> > match-clients { any; };
> > recursion no;
> >
> > allow-query { any; };
> > allow-transfer { 108.220.213.120/29; };
> >
> > zone "linuxlighthouse.com" {
> > type master;
> > file "/var/named/linuxlighthouse.com.db";
> > };
> >
> > zone "213.220.108.in-addr.arpa" {
> > type master;
> > file "/var/named/213.220.108.in-addr.arpa";
> > };
> > };
> >
>
> Since you've used "any" as a match, here, something else has to match
> it before this clause, else this clause will always match it.
>
> i.e. Your internal rules have to be first.
>
apologiese for cllipping the file,...
*/* LinuxLightHouse named.conf BIND DNS server 'named' configuration
file for the Red Hat BIND distribution. */acl internals { 10.0.0.0/24
<http://10.0.0.0/24>; 127.0.0.0/8 <http://127.0.0.0/8>;};*
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-transfer { 108.220.213.120/29; };
allow-recursion { 10.0.0.0/24; };
/* DNSSEC related options. See information about keys ("Trusted keys",
bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
view "internal-lan-view"
{
match-clients { internals; };
allow-recursion { internals; };
allow-recursion-on { internals; };
allow-query { internals; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
};
};
view "external-wan-view"
{
match-clients { any; };
match-destinations { any; };
recursion no;
allow-query { any; };
allow-transfer { 108.220.213.120/29; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
};14-Nov-2020 05:04:11.931 query-errors: info: client
@0x7f52380dc520 ::1#47114 (linuxlighthouse.com): view external-wan-view:
query failed (REFUSED) for linuxlighthouse.com/IN/NS at
../../../bin/named/query.c:7270
14-Nov-2020 05:06:54.149 query-errors: info: client @0x7f52381c9760
137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query
failed (REFUSED) for linuxlighthouse.com/IN/ANY at
../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.323 query-errors: info: client @0x7f52381c9760
184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query
failed (REFUSED) for linuxlighthouse.com/IN/A at
../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.354 query-errors: info: client @0x7f52381c9760
184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query
failed (REFUSED) for linuxlighthouse.com/IN/A at
../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.520 query-errors: info: client @0x7f52381c9760
184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view:
query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at
../../../bin/named/query.c:7270
14-Nov-2020 05:07:25.119 query-errors: info: client @0x7f52381c9760
184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view:
query failed (REFUSED) for www.linuxlighthouse.com/IN/A at
../../../bin/named/query.c:7270
14-Nov-2020 05:03:32.658 general: info:
managed-keys-zone/internal-lan-view: loaded serial 0
14-Nov-2020 05:03:32.658 general: info:
managed-keys-zone/external-wan-view: loaded serial 0
14-Nov-2020 05:03:32.658 general: info: zone
linuxlighthouse.com/IN/internal-lan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: info: zone
213.220.108.in-addr.arpa/IN/external-wan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: info: zone
linuxlighthouse.com/IN/external-wan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: notice: all zones loaded
14-Nov-2020 05:03:32.658 general: notice: running
14-Nov-2020 05:04:11.931 queries: info: client @0x7f52380dc520 ::1#47114 (
linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN
NS +E(0)K (::1)
14-Nov-2020 05:06:54.149 queries: info: client @0x7f52381c9760
137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query:
linuxlighthouse.com IN ANY -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.323 queries: info: client @0x7f52381c9760
184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query:
linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.354 queries: info: client @0x7f52381c9760
184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query:
linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.520 queries: info: client @0x7f52381c9760
184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view:
query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
14-Nov-2020 05:07:25.119 queries: info: client @0x7f52381c9760
184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view:
query: www.linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:04:11.931 client @0x7f52380dc520 ::1#47114 (
linuxlighthouse.com): view external-wan-view: query '
linuxlighthouse.com/NS/IN' denied
14-Nov-2020 05:06:54.149 client @0x7f52381c9760 137.226.113.35#18392 (
linuxlighthouse.com): view external-wan-view: query '
linuxlighthouse.com/ANY/IN' denied
14-Nov-2020 05:07:16.323 client @0x7f52381c9760 184.94.241.121#52528 (
linuxlighthouse.com): view external-wan-view: query '
linuxlighthouse.com/A/IN' denied
14-Nov-2020 05:07:16.354 client @0x7f52381c9760 184.94.241.121#10468 (
linuxlighthouse.com): view external-wan-view: query '
linuxlighthouse.com/A/IN' denied
14-Nov-2020 05:07:16.520 client @0x7f52381c9760 184.94.241.121#33732 (
ws.linuxlighthouse.com): view external-wan-view: query '
ws.linuxlighthouse.com/AAAA/IN' denied
14-Nov-2020 05:07:25.119 client @0x7f52381c9760 184.94.241.121#11455 (
www.linuxlighthouse.com): view external-wan-view: query '
www.linuxlighthouse.com/A/IN' denied
???
logging {
channel default_debug {
file "/var/log/named/named.run" versions 3 size 5m;
...
*bind.x86_64 :9.11.23-1.fc32 *
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
