Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
The server I really need this for is a little more complex. I was just
trying for a simple test case.
Here are more details on my plans to actually use allow-query-on. Two
DNS servers, one only for the data centers, and another for the users, but
also as backup for the data center.
DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
... my zones
};
DNS resolver for users, but also backup resolver for the data center:
(There are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view users {
match-clients { any; };
allow-query-on { user resolver ip };
... my zones ...
};
I don't want users trying to use the data center resolver IP. Without the
allow-query-on, it would work for them if the anycast path reached the
user resolver, but not if it reached the data center resolver. That
confuses users.
(Actually, both data center and users have two anycast resolver IP's each,
so double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.
--
Bob Harold
DNS Hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
personally i would not mix that and have own virtual servers
and control the reachability via iptables, the servers
can act as slave/master where needed so that the datacenter
nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's
some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature
Am 02.07.2014 18:18, schrieb Bob Harold:
The server I really need this for is a little more complex. I was just
trying for a simple test case.
Here are more details on my plans to actually use allow-query-on. Two DNS
servers, one only for the data
centers, and another for the users, but also as backup for the data center.
DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
... my zones
};
DNS resolver for users, but also backup resolver for the data center: (There
are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view users {
match-clients { any; };
allow-query-on { user resolver ip };
... my zones ...
};
I don't want users trying to use the data center resolver IP. Without the
allow-query-on, it would work for them
if the anycast path reached the user resolver, but not if it reached the data
center resolver. That confuses users.
(Actually, both data center and users have two anycast resolver IP's each, so
double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net wrote:
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
re: Cannot get allow-query-on to work.
Did you specify 127.0.0.1 in the listen-on options statement?
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same
results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work.
listen-on defaults to all the computer's IPv4 addresses, including the
loopback, so I did not put an explicit listen-on statement. It answers
queries to both the loopback and other addresses.
--
Bob Harold
DNS hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald bmcdonal...@gmail.com wrote:
Did you specify 127.0.0.1 in the listen-on options statement?
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same
results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
Please upgrade your BIND. There was a bug in allow-query-on that was
fixed since 9.8.6rc2.
Please note that currently allow-query-on is only used for zone
configurations. Use allow-cache-on if restricting accessing cache (or
allow-recursion-on like you also used).___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
