Re: host restriction
On 15.05.23 20:58, Kereszt Vezeték wrote: Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . why? BIND server can resolve perfectly without fdorwarding anywhere. I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 And how should request from these IPs be resolved? If really neede (see my comment above), I recommend using views for this. Mostly because they can have separate cache. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host restriction
On 5/15/23 1:58 PM, Kereszt Vezeték wrote:
Hi Everybody
Hi,
I have a dns server in my private network with a local domain. The dns
server forward the public request to the google dns server . I wold like
separate hosts in the inside network.
One group allow only the local host resolve, not forward to the 8.8.8.8
.Other group allow the local hosts resolve, and able to forward to the
google dns server.
Are there any way to solve this problem with bind9 ?
It seems to me like this may be described a authoritative only without
recursion and both authoritative and recursive service.
With this in mind, I'd wonder, if BIND's recursion restrictions might
suffice. E.e. allow 192.168.1.10 & 192.168.1.11 to make recursive
queries which get forwarded to ${UPSTREAM_DNS_PROVIDER} while only
serving local authoritative content to 192.168.1.20 & 192.168.1.21.
I assume there is some nuance that I'm over looking / haven't had enough
caffeine to properly appreciate yet.
But this is what I'd try myself.
N.B. you probably want to also apply the similar ACL to querying the
cache, lest 192.168.1.20 & 192.168.1.21 be able get things out of cache
that 192.168.1.10 & 192.168.1.11 queried from ${UPSTREAM_DNS_PROVIDER}.
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: host restriction
Zoltan,
There may be another way to make this work but this is what comes to my mine:
acl’s in a view.
https://kb.isc.org/docs/aa-00851
# named.conf
acl google-is-good { 192.168.7.0/24; localhost; };
acl google-is-evil { 192.168.8.0/24; };
view google-good {
match-clients { google-is-good; };
allow-recursion { any; };
forwarders {
8.8.8.8;
};
};
view google-evil {
match-clients { google-is-evil; };
allow-recursion { any; };
};
You *might* be able to whack the acl down to like a /28 or a /29 while keeping
your DHCP scope at a /24. This will allow you to perform view testing without
needing to rip n replace DHCP configs.
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kereszt
Vezeték
Sent: Monday, May 15, 2023 1:58 PM
To: bind-users@lists.isc.org
Subject: host restriction
Hi Everybody
Can someone help me with the following problem ?
I have a dns server in my private network with a local domain. The dns server
forward the public request to the google dns server . I wold like separate
hosts in the inside network.
One group allow only the local host resolve, not forward to the 8.8.8.8 .Other
group allow the local hosts resolve, and able to forward to the google dns
server.
Are there any way to solve this problem with bind9 ?
Local subnet 192.168.1.0/24<http://192.168.1.0/24>
192.168.1.10 allow forward to 8.8.8.8
192.168.1.11 allow forward to 8.8.8.8
192.168.1.20 disable forward 8.8.8.8
192.168.1.21 disable forward 8.8.8.8
Thank you
regards
Zoltan
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
host restriction
Hi Everybody Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 Thank you regards Zoltan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
