Chris, Thanks that worked.....
RootNet08 On Tue, Nov 18, 2008 at 12:46 AM, Chris Buxton <[EMAIL PROTECTED]>wrote: > Remove your subnet from the bogons ACL at the beginning. > > acl bogons { > ! 192.168.16.0/21; > 0.0.0.0/8; > [...] > 192.168.0.0/16; > [...] > }; > > Chris Buxton > Professional Services > Men & Mice > > On Nov 17, 2008, at 8:38 PM, root net wrote: > > Hello, > > I have a server I am testing before I put in production. Working on a more > secure bind config. BTW if anyone has any other suggestions on locking down > bind beside below and chroot let me know. I was adding views which has been > debated time and time again whether or not it really helps but anyway. My > problem is I have the latest bogons from team-cymru which includes my > internal network subnet 192.168.16.0/21. So in the bogons list it says > 192.168.0.0/16 which is blackholed. So my local network is being > blackholed but it works fine when users not on the bogons query the server > from the external view. My question is how can I get this to work without > adding each cidr block of the 192.168.0.0/16 separately or even breaking > it up in /21s? I have tried everything I know how. A sanitized portion of > my named.conf is this: > > //For length sakes I took out the other networks..... > > acl i_lan { 127.0.0.1; 192.168.16.0/21}; > acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;}; > acl bogons { 0.0.0.0/8; > 1.0.0.0/8; > 2.0.0.0/8; > 5.0.0.0/8; > 192.168.0.0/16; > 198.18.0.0/15; > 223.0.0.0/8; > 224.0.0.0/3; > }; > > options { > version "Go Away"; > directory "/var/named"; > dump-file "/var/dump/named_dump.db"; > pid-file "/var/run/named/named.pid"; > statistics-file "/var/stats/named.stats"; > recursion no; > allow-query { any; }; > listen-on { 127.0.0.1; 192.168.16.2;}; > recursive-clients 1000; > tcp-clients 1000; > auth-nxdomain yes; > blackhole { bogons; }; > > view "internal" { > match-clients { i_lan; }; > notify no; > recursion yes; > allow-transfer { i_dns;}; > zone "localhost" { > type master; > file "localhost.zone"; > }; > zone "127.in-addr.arpa" { > type master; > file "localhost.zone"; > }; > zone "0.in-addr.arpa" { > type master; > file "named.zero"; > }; > zone "255.in-addr.arpa" { > type master; > file "named.broadcast"; > > // zones go here > }; > > view "external" { > match-clients { !i_lan; any; } ; > recursion no; > allow-transfer { i_dns;}; > // zones go here > }; > > > Any help is appreciated and thanks in advanced. > > RootNet08 > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users