Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
The server I really need this for is a little more complex. I was just trying for a simple test case. Here are more details on my plans to actually use allow-query-on. Two DNS servers, one only for the data centers, and another for the users, but also as backup for the data center. DNS resolver for data center has these relevant settings in named.conf: (has data center DNS resolver IP) acl DATACENTER { ... data center subnets ... }; options {allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; ... my zones }; DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.) (has both user DNS resolver IP and data center DNS resolver IP) options { allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; allow-query-on { data center resolver ip }; ... my zones ... }; view users { match-clients { any; }; allow-query-on { user resolver ip }; ... my zones ... }; I don't want users trying to use the data center resolver IP. Without the allow-query-on, it would work for them if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users. (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.) The authoritative servers are a separate set of servers, not using anycast, not involved in this. -- Bob Harold DNS Hostmaster University of Michigan On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
personally i would not mix that and have own virtual servers and control the reachability via iptables, the servers can act as slave/master where needed so that the datacenter nameserver has all zones and differ where it makes sense we do something similar with internal / public namservers 4 dns servers, 2 of them only reachable from specific IP's some years ago i would have mixed that too, but now with VMware/Xen/KVM/LCX became mature Am 02.07.2014 18:18, schrieb Bob Harold: The server I really need this for is a little more complex. I was just trying for a simple test case. Here are more details on my plans to actually use allow-query-on. Two DNS servers, one only for the data centers, and another for the users, but also as backup for the data center. DNS resolver for data center has these relevant settings in named.conf: (has data center DNS resolver IP) acl DATACENTER { ... data center subnets ... }; options {allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; ... my zones }; DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.) (has both user DNS resolver IP and data center DNS resolver IP) options { allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; allow-query-on { data center resolver ip }; ... my zones ... }; view users { match-clients { any; }; allow-query-on { user resolver ip }; ... my zones ... }; I don't want users trying to use the data center resolver IP. Without the allow-query-on, it would work for them if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users. (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.) The authoritative servers are a separate set of servers, not using anycast, not involved in this. On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net mailto:h.rei...@thelounge.net wrote: Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
re: Cannot get allow-query-on to work.
Did you specify 127.0.0.1 in the listen-on options statement? I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan Regards, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work.
listen-on defaults to all the computer's IPv4 addresses, including the loopback, so I did not put an explicit listen-on statement. It answers queries to both the loopback and other addresses. -- Bob Harold DNS hostmaster University of Michigan On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald bmcdonal...@gmail.com wrote: Did you specify 127.0.0.1 in the listen-on options statement? I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan Regards, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; Please upgrade your BIND. There was a bug in allow-query-on that was fixed since 9.8.6rc2. Please note that currently allow-query-on is only used for zone configurations. Use allow-cache-on if restricting accessing cache (or allow-recursion-on like you also used).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users