Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ACL for forward zone
194 views
Skip to first unread message
Prabhat Rana
Jul 12, 2010, 2:24:03 PM7/12/10
to bind-...@lists.isc.org
Hello all,
I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf
I have BIND 9.7.1 installed in Solaris 10. I need to use a forwarder for a certain internal private IP zone to a certain internal DNS severs. In the meantime I need to use certain ACL so that it would forward the queries and reply to them only from certain IP address clients. So I used the following conifgs in named.conf
acl "Internal" {10.0.1.0/24)
zone "10.in-addr.arpa" in {
type forward;
forwarders { 1.2.3.4; 5.6.7.8; };
allow-query { "Internal"; };
However it appears I can't use 'allow query' option in forward zone as seen in the syslog
/etc/named.conf:102: option 'allow-query' is not allowed in 'forward' zone '10.in-addr.arpa'
Basically you know what I'm trying to achieve. So if anyone has any tip how can I use forward from the clients only within certain IP address range, that would be great.
Prabhat.
Nuno Paquete
Jul 12, 2010, 5:17:58 PM7/12/10
to Prabhat Rana, bind-...@lists.isc.org
Hi Prabhat,
I think you don't need this ACL in your forwarder server, define it on
the authoritative server (1.2.3.4 and 5.6.7.8, according to your
example).
Regards,
Nuno Paquete
No dia 2010/07/12, às 19:27, "Prabhat Rana" <pran...@yahoo.com>
escreveu:
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
I think you don't need this ACL in your forwarder server, define it on
the authoritative server (1.2.3.4 and 5.6.7.8, according to your
example).
Regards,
Nuno Paquete
No dia 2010/07/12, às 19:27, "Prabhat Rana" <pran...@yahoo.com>
escreveu:
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Prabhat Rana
Jul 12, 2010, 8:28:23 PM7/12/10
to Nuno Paquete, bind-...@lists.isc.org
Hi Nuno,
Thanks for the response. However, I don't own the authoritative servers. And the clients that I am serving don't have direct access to the authoritative servers.
Thanks for the response. However, I don't own the authoritative servers. And the clients that I am serving don't have direct access to the authoritative servers.
Prabhat.
--- On Mon, 7/12/10, Nuno Paquete <nunop...@lusocargo.pt> wrote:
Richard Tom
Jul 12, 2010, 10:05:15 PM7/12/10
to bind-...@lists.isc.org
The syntax for a forward zone is: zone domain_name [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ check-names ( warn | fail | ignore ); ] };For the kind of access control you're trying to achieve, use a "view". The syntax is as follows.
view view_name
[class] {
match-clients { address_match_list };
match-destinations { address_match_list };
match-recursive-only yes_or_no ;
[ view_option; ...]
[ zone_statement; ...]
};
Do some perusing of the Administrator's Reference Manual (ARM). You might find the information in there quite useful.
Regards,
Richard
0 new messages