[rhelv6-list] Bind 9.8 and unable to query from internal view
francis picabia
fpicabia at gmail.com
Thu Dec 20 15:13:28 UTC 2012
Hi,
Thanks for the suggestion. There are probably a few ways to
fix these things, but in my case I found two things
I needed...
In options, I needed:
allow-recursion {XXX.YYY.0.0/16; };
Also, I had trouble with external view. It had been set as:
match-clients { !local_lan; };
This would not match external clients. I had to use:
match-clients { any; };
Now things are working again...
On Thu, Dec 20, 2012 at 10:45 AM, Antonio Lopez <cubodebits at gmail.com>wrote:
> Check allow-quey directive
>
> 2012/12/20 francis picabia <fpicabia at gmail.com>
>
>> Hi,
>>
>> I'd really appreciate some help on this. I thought this was working when
>> testing,
>> but today when rolling it into production it fails me.
>>
>> I have internal and external views in named.conf
>>
>> The goal is to allow everyone (in and out) to query my domain,
>> but allow only internal users to query the outside world.
>>
>> We had this working before in Redhat 5, but something has changed and
>> it isn't working for RH 6.
>>
>> The strange thing is, I can do queries of the outside OK from
>> the DNS server, or from systems on the same subnet.
>>
>> The ones I want to let use the view, seem to match the view,
>> but are blocked:
>>
>> Dec 20 10:14:58 sedna named[7574]: 20-Dec-2012 10:14:58.759 security:
>> info: client XXX.YYY.200.66#55286: view internal: query (cache) '
>> onmail.com/MX/IN' denied
>>
>> acl "local_lan" {
>> XXX.YYY.0.0/16;
>> 127.0.0.1;
>> };
>>
>> view "internal"
>> {
>> /* This view will contain zones you want to serve only to "internal"
>> clients
>> that connect via your directly attached LAN interfaces - "localnets" .
>> */
>> match-clients { local_lan; XXX.YYY.1.3; };
>> match-destinations { any; };
>> recursion yes;
>> additional-from-auth yes;
>> additional-from-cache yes;
>> empty-zones-enable yes;
>> notify yes;
>> allow-transfer { adcs; XXX.YYYY.1.3; };
>> also-notify { XXX.YYY.200.67; XXX.YYY.200.66; XXX.YYY.1.3;};
>> // all views must contain the root hints zone:
>> include "/etc/named.root.hints";
>>
>> include "/etc/named.rfc1912.zones";
>>
>> zone "mydomain.ca" in {
>> type master;
>> file "forward/mydomain.ca";
>> };
>>
>> zone "XXX.YYY.in-addr.arpa" in {
>> type master;
>> file "reverse/db.XXX.YYY.rev";
>> };
>>
>>
>> };
>>
>>
>> I've changed the first digits of my network IPs to XXX.YYY.
>>
>> The DNS system is on XXX.YYY.2.48, and systems on subnet 2 can query it
>> OK.
>> Other systems which should fall in the /16 network are not able to query.
>>
>> It seems like there is something about Bind 9.8 I'm missing.
>> Running BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5
>>
>>
>>
>> _______________________________________________
>> rhelv6-list mailing list
>> rhelv6-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv6-list
>>
>
>
>
> --
>
> *
> *
>
> “software is like sex, its better when its free”
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-list/attachments/20121220/a4453f54/attachment.htm>
More information about the rhelv6-list
mailing list