Re: How to make one ZONE (subdomain) non-public?
On 12.04.10 09:47, Michelle Konzack wrote: in my domain I have a subdomain which is absolutely private and non- accesible from the rest of the world. It use 192.168.x.y. Which option must I use hat this ZONE ist only accesible/visible local? allow-access in zone statement. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to make one ZONE (subdomain) non-public?
Hello Matus UHLAR - fantomas, Am 2010-04-12 09:52:03, hacktest Du folgendes herunter: allow-access in zone statement. Ehm... [ STDIN ]--- Apr 12 10:16:48 samba3 named[16931]: starting BIND 9.3.4-P1.2 -u bind Apr 12 10:16:48 samba3 named[16931]: found 4 CPUs, using 4 worker threads Apr 12 10:16:48 samba3 named[16931]: loading configuration from '/etc/bind/named.conf' Apr 12 10:16:48 samba3 named[16931]: /etc/bind/named.conf.local:63: unknown option 'allow-access' Apr 12 10:16:48 samba3 named[16931]: loading configuration: failure Apr 12 10:16:48 samba3 named[16931]: exiting (due to fatal error) Maybe allow-query? zone private.tamay-dogan.net { typemaster; file/etc/bind/net.tamay-dogan.private; allow-transfer { 192.168.0.194; 192.168.0.195; }; allow-update{ 192.168.0.91; 192.168.0.92; 192.168.0.93; 192.168.0.112; }; allow-query { 192.168.0.0/24; }; }; but now I can not more access bind9 from my workstation... Can you try to query dig michelle1.private.tamay-dogan.net @dns1.tamay-dogan.net please? Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt) Gesch. Michelle Konzack Gesch. Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to make one ZONE (subdomain) non-public?
Date: Mon, 12 Apr 2010 09:52:03 +0200 From: Matus UHLAR - fantomas uh...@fantomas.sk On 12.04.10 09:47, Michelle Konzack wrote: in my domain I have a subdomain which is absolutely private and non-accesible from the rest of the world. It use 192.168.x.y. Which option must I use hat this ZONE ist only accesible/visible local? allow-access in zone statement. I think the easiest way to do this would make several VIEWS. Put the zone file for the subdomain in the internal only view. Yes, some zone descriptions would be duplicated, but... Oh well... For instance, when it is time for my children to do homework, I add a zone facebook.com that points to localhost to my zone descriptions. This effectively locks them out of facebook for the duration of homework time. (This local facebook.com zone is NOT something that I would want the internet to use...) eg: // for the ACL, you can put in CIDR notation for your network ALSO... // Note that the difference between the zone descriptions is that // some-subdomain is missing from the external view. You would also // populate the views with any additional zones... acl internal {localhost; localnets; }; view trusted { match-clients { internal; }; recursion yes; zone ext-domain in { type master; file db.ext-domain; allow-update { none; }; allow-transfer { ip1; ip2; }; }; zone some-subdomain in { type master; file db.sub-domain; allow-update { none; }; allow-transfer { ip3; ip4; }; }; More zone(s) {} }; // End of trusted or internal view view external { match-clients { any; }; recursion no; additional-from-cache no; zone ext-domain in { type master; file db.ext-domain; allow-update { none; }; allow-transfer { ip1; ip2; }; }; }; // End of External view - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to make one ZONE (subdomain) non-public?
On 12.04.10 10:24, Michelle Konzack wrote: Hello Matus UHLAR - fantomas, Am 2010-04-12 09:52:03, hacktest Du folgendes herunter: allow-access in zone statement. sorry, I've meant allow-query. [ STDIN ]--- Apr 12 10:16:48 samba3 named[16931]: starting BIND 9.3.4-P1.2 -u bind Apr 12 10:16:48 samba3 named[16931]: found 4 CPUs, using 4 worker threads Apr 12 10:16:48 samba3 named[16931]: loading configuration from '/etc/bind/named.conf' Apr 12 10:16:48 samba3 named[16931]: /etc/bind/named.conf.local:63: unknown option 'allow-access' Apr 12 10:16:48 samba3 named[16931]: loading configuration: failure Apr 12 10:16:48 samba3 named[16931]: exiting (due to fatal error) Maybe allow-query? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to make one ZONE (subdomain) non-public?
Hello Matus UHLAR - fantomas, Am 2010-04-12 11:21:07, hacktest Du folgendes herunter: On 12.04.10 10:24, Michelle Konzack wrote: Hello Matus UHLAR - fantomas, Am 2010-04-12 09:52:03, hacktest Du folgendes herunter: allow-access in zone statement. sorry, I've meant allow-query. :-D I have already seen in the logfiles, that several peoples had tried to access the DNS and it was denied... [ '/var/log/named.log' ] Apr 12 11:01:04 dns named[4501]: 12-Apr-2010 11:01:04.433 security: info: client 74.125.76.78#33964: query 'michelle1.private.tamay-dogan.net/A/IN' denied Apr 12 11:01:04 dns named[4501]: 12-Apr-2010 11:01:04.482 security: info: client 74.125.76.78#3: query 'michelle1.private.tamay-dogan.net/A/IN' denied Apr 12 11:48:51 dns named[4501]: 12-Apr-2010 11:48:51.055 security: info: client 77.88.42.250#5335: query 'samba3.private.tamay-dogan.net/A/IN' denied Apr 12 12:00:05 dns named[4501]: 12-Apr-2010 12:00:05.432 security: info: client 220.181.12.2#45710: query 'michelle1.private.tamay-dogan.net/A/IN' denied Apr 12 12:00:05 dns named[4501]: 12-Apr-2010 12:00:05.707 security: info: client 220.181.12.2#39523: query 'michelle1.private.tamay-dogan.net/A/IN' denied Apr 12 12:01:26 dns named[4501]: 12-Apr-2010 12:01:26.201 security: info: client 217.147.177.250#22248: query 'private.tamay-dogan.net/A/IN' denied Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt) Gesch. Michelle Konzack Gesch. Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users