[rhelv6-list] Bind 9.8 and unable to query from internal view

francis picabia fpicabia at gmail.com
Thu Dec 20 15:13:28 UTC 2012 

Hi,

Thanks for the suggestion.  There are probably a few ways to
fix these things, but in my case I found two things
I needed...

In options, I needed:

        allow-recursion {XXX.YYY.0.0/16; };

Also, I had trouble with external view.  It had been set as:

        match-clients           { !local_lan; };

This would not match external clients.  I had to use:

        match-clients           { any; };

Now things are working again...



On Thu, Dec 20, 2012 at 10:45 AM, Antonio Lopez <cubodebits at gmail.com>wrote:

> Check allow-quey directive
>
> 2012/12/20 francis picabia <fpicabia at gmail.com>
>
>> Hi,
>>
>> I'd really appreciate some help on this. I thought this was working when
>> testing,
>> but today when rolling it into production it fails me.
>>
>> I have internal and external views in named.conf
>>
>> The goal is to allow everyone (in and out) to query my domain,
>> but allow only internal users to query the outside world.
>>
>> We had this working before in Redhat 5, but something has changed and
>> it isn't working for RH 6.
>>
>> The strange thing is, I can do queries of the outside OK from
>> the DNS server, or from systems on the same subnet.
>>
>> The ones I want to let use the view, seem to match the view,
>> but are blocked:
>>
>> Dec 20 10:14:58 sedna named[7574]: 20-Dec-2012 10:14:58.759 security:
>> info: client XXX.YYY.200.66#55286: view internal: query (cache) '
>> onmail.com/MX/IN' denied
>>
>> acl "local_lan" {
>>       XXX.YYY.0.0/16;
>>       127.0.0.1;
>> };
>>
>> view "internal"
>> {
>> /* This view will contain zones you want to serve only to "internal"
>> clients
>>    that connect via your directly attached LAN interfaces - "localnets" .
>>  */
>>         match-clients           { local_lan; XXX.YYY.1.3; };
>>         match-destinations      { any; };
>>         recursion yes;
>>         additional-from-auth yes;
>>         additional-from-cache yes;
>>         empty-zones-enable yes;
>>         notify yes;
>>         allow-transfer { adcs; XXX.YYYY.1.3; };
>>         also-notify { XXX.YYY.200.67; XXX.YYY.200.66; XXX.YYY.1.3;};
>>         // all views must contain the root hints zone:
>>         include "/etc/named.root.hints";
>>
>>         include "/etc/named.rfc1912.zones";
>>
>>         zone "mydomain.ca" in {
>>           type master;
>>           file "forward/mydomain.ca";
>>         };
>>
>>         zone "XXX.YYY.in-addr.arpa" in {
>>            type master;
>>           file "reverse/db.XXX.YYY.rev";
>>         };
>>
>>
>> };
>>
>>
>> I've changed the first digits of my network IPs to XXX.YYY.
>>
>> The DNS system is on XXX.YYY.2.48, and systems on subnet 2 can query it
>> OK.
>> Other systems which should fall in the /16 network are not able to query.
>>
>> It seems like there is something about Bind 9.8 I'm missing.
>> Running BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5
>>
>>
>>
>> _______________________________________________
>> rhelv6-list mailing list
>> rhelv6-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>>
>
>
>
> --
>
> *
> *
>
> “software is like sex, its better when its free”
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-list/attachments/20121220/a4453f54/attachment.htm>

More information about the rhelv6-list mailing list