[rhelv6-list] Bind 9.8 and unable to query from internal view

francis picabia fpicabia at gmail.com
Thu Dec 20 14:34:33 UTC 2012 

Hi,

I'd really appreciate some help on this. I thought this was working when
testing,
but today when rolling it into production it fails me.

I have internal and external views in named.conf

The goal is to allow everyone (in and out) to query my domain,
but allow only internal users to query the outside world.

We had this working before in Redhat 5, but something has changed and
it isn't working for RH 6.

The strange thing is, I can do queries of the outside OK from
the DNS server, or from systems on the same subnet.

The ones I want to let use the view, seem to match the view,
but are blocked:

Dec 20 10:14:58 sedna named[7574]: 20-Dec-2012 10:14:58.759 security: info:
client XXX.YYY.200.66#55286: view internal: query (cache) 'onmail.com/MX/IN'
denied

acl "local_lan" {
      XXX.YYY.0.0/16;
      127.0.0.1;
};

view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
        match-clients           { local_lan; XXX.YYY.1.3; };
        match-destinations      { any; };
        recursion yes;
        additional-from-auth yes;
        additional-from-cache yes;
        empty-zones-enable yes;
        notify yes;
        allow-transfer { adcs; XXX.YYYY.1.3; };
        also-notify { XXX.YYY.200.67; XXX.YYY.200.66; XXX.YYY.1.3;};
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        include "/etc/named.rfc1912.zones";

        zone "mydomain.ca" in {
          type master;
          file "forward/mydomain.ca";
        };

        zone "XXX.YYY.in-addr.arpa" in {
           type master;
          file "reverse/db.XXX.YYY.rev";
        };


};


I've changed the first digits of my network IPs to XXX.YYY.

The DNS system is on XXX.YYY.2.48, and systems on subnet 2 can query it OK.
Other systems which should fall in the /16 network are not able to query.

It seems like there is something about Bind 9.8 I'm missing.
Running BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-list/attachments/20121220/fb76c8a9/attachment.htm>

More information about the rhelv6-list mailing list