ACL per listening IP address ?
I have several multi-homed caching servers and am using anycast. Each
server has it's native interface and then all of them advertise two
other IP addresses, 128.83.185.40 and 128.83.185.41. BIND only listens
on these other two IP addresses. There is no problem with this setup,
it works fine and queries are serviced without problem.
options {
listen-on port 53 {
128.83.185.40;
128.83.185.41;
};
Since these different physical servers are advertising the same IP
addresses (the two above), verifying the status/health of the instance
of BIND is tricky. Basically we have a script running on each server
which is used by our monitoring service.
Is there a way to apply individual BIND ACLs to each of the listening
interfaces, restricting who can query that particular address? My idea
is to add the native (unique) interface to named.conf but only allow
certain IP addresses to issue queries against it.
I'm not very familiar with the concept of views but I wonder if the
match-client statement might be the way to go. Alternatively we can
setup an external ACL (or firewall statement) that only allows queries
to the native address from our monitoring service.
Clear as mud?
Oscar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ACL per listening IP address ?
I'm not very familiar with the concept of views but I wonder if the
match-client statement might be the way to go.
It sounds like the one you're interested in is match-destinations
actually.
options {
listen-on port 53 { 128.83.185.40; 128.83.185.41; NATIVE IP; };
...
};
view monitor {
match-destinations { NATIVE IP; };
recursion no;
allow-query { localhost; };
zone testzone {
type master;
file test.db;
};
};
view others {
match-destinations { any; };
recursion yes;
allow-recursion { ... };
...
};
Any queries sent to NATIVE IP would then be routed into the monitor
view, and any queries sent to the public-facing addresses would go to
the others view.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
How to prevent BIND from resolving addresses in logs
I just installed BIND 9.9.1-P3 from source and while looking through the query
log files I noticed that IP addresses were being resolved:
27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query:
www.ibm.com ...
In my other servers which are running the redhat packaged version of BIND
(9.8.2), my query logs look like:
27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ...
The logging section of the configuration looks like:
channel query_log {
file /var/log/queries/query-log versions 100 size 1m;
print-time yes;
};
category queries {
query_log;
};
I'm sure there's something completely obvious that I've missed. How do I stop
BIND from resolving these addresses and just including the IP address in the
log file?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On 27/09/12 21:08, Spumonti Spumonti wrote:
I just installed BIND 9.9.1-P3 from source and while looking through the
query log files I noticed that IP addresses were being resolved:
27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query:
www.ibm.com ...
In my other servers which are running the redhat packaged version of BIND
(9.8.2), my query logs look like:
27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ...
To me this looks like a questionabout what IP is valid for
www.amazon.com and the question was asked from 192.168.5.30. So
www.amazon.com IS the original question, so what you ask is to have the
answer in the log?
The logging section of the configuration looks like:
channel query_log {
file /var/log/queries/query-log versions 100 size 1m;
print-time yes;
};
category queries {
query_log;
};
I'm sure there's something completely obvious that I've missed. How do I
stop BIND from resolving these addresses and just including the IP address in
the log file?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
MALE BOVINE MANURE!!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On Thu, 27 Sep 2012, Spumonti Spumonti wrote: I just installed BIND 9.9.1-P3 from source and while looking through the query log files I noticed that IP addresses were being resolved: 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: www.ibm.com ... That is: 2570. [func] Log the destination address the query was sent to. [RT #19209] In my other servers which are running the redhat packaged version of BIND (9.8.2), my query logs look like: 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ... I'm sure there's something completely obvious that I've missed. How do I stop BIND from resolving these addresses and just including the IP address in the log file? That feature isn't offered. Is it inconvenient to know where the query was sent to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On 09/27/2012 12:11 PM, Jeremy C. Reed wrote: On Thu, 27 Sep 2012, Spumonti Spumonti wrote: I just installed BIND 9.9.1-P3 from source and while looking through the query log files I noticed that IP addresses were being resolved: 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: www.ibm.com ... That is: 2570. [func] Log the destination address the query was sent to. [RT #19209] In my other servers which are running the redhat packaged version of BIND (9.8.2), my query logs look like: 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ... I'm sure there's something completely obvious that I've missed. How do I stop BIND from resolving these addresses and just including the IP address in the log file? That feature isn't offered. Is it inconvenient to know where the query was sent to? Query logging is already an intensive operation, so not adding extra cycles by default is a good thing. At least there should be a knob to turn it off. ... and not to impugn the fine ISC devs, but that is a pretty basic element of software design. No matter how cool *you* think your new feature is, there will always be users who don't like it, and want to turn it off. :) So a knob should be provided. The longer the feature you are modifying has been around, the larger the number of users who will want to do so. For query logging in particular I can see a non-trivial number of users who have scripts or other tools to parse the log, so having the format change in 9.9 would be a POLA issue. hth, Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
Wow, do I feel like an idiot ... there's dumb and then there's the message I sent in. I just took a quick look and *ASSUMED* the name in parentheses after the client IP address was the hostname of the IP address. Nope. Looking at another line from the log and actually READING it I see this is not the case: 27-Sep-2012 17:17:00.236 client 192.168.5.69#5965 (mail.schnauzerproblems.com): query: mail.schnauzerproblems.com IN A + I am ashamed. --- On Thu, 9/27/12, Jeremy C. Reed jr...@isc.org wrote: From: Jeremy C. Reed jr...@isc.org Subject: Re: How to prevent BIND from resolving addresses in logs To: Spumonti Spumonti spumo...@yahoo.com Cc: bind-users@lists.isc.org Date: Thursday, September 27, 2012, 5:11 PM On Thu, 27 Sep 2012, Spumonti Spumonti wrote: I just installed BIND 9.9.1-P3 from source and while looking through the query log files I noticed that IP addresses were being resolved: 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: www.ibm.com ... That is: 2570. [func] Log the destination address the query was sent to. [RT #19209] In my other servers which are running the redhat packaged version of BIND (9.8.2), my query logs look like: 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ... I'm sure there's something completely obvious that I've missed. How do I stop BIND from resolving these addresses and just including the IP address in the log file? That feature isn't offered. Is it inconvenient to know where the query was sent to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On 09/27/2012 12:44 PM, Spumonti Spumonti wrote: Wow, do I feel like an idiot ... ... and I feel even more so because I didn't double-check for myself. :) Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
In message 1348772894.42110.yahoomailclas...@web126006.mail.ne1.yahoo.com, Spumonti Spumonti writes: I just installed BIND 9.9.1-P3 from source and while looking through the query log files I noticed that IP addresses were being resolved: 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): query: www.ibm.com ... No. They are not being resolved. If you had left the log message along you would have seen that it was the qname being logged which in the case of the query entry is redundant but for all other client log messages it is useful. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
