Re: host restriction
On 15.05.23 20:58, Kereszt Vezeték wrote: Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . why? BIND server can resolve perfectly without fdorwarding anywhere. I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 And how should request from these IPs be resolved? If really neede (see my comment above), I recommend using views for this. Mostly because they can have separate cache. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host restriction
On 5/15/23 1:58 PM, Kereszt Vezeték wrote: Hi Everybody Hi, I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? It seems to me like this may be described a authoritative only without recursion and both authoritative and recursive service. With this in mind, I'd wonder, if BIND's recursion restrictions might suffice. E.e. allow 192.168.1.10 & 192.168.1.11 to make recursive queries which get forwarded to ${UPSTREAM_DNS_PROVIDER} while only serving local authoritative content to 192.168.1.20 & 192.168.1.21. I assume there is some nuance that I'm over looking / haven't had enough caffeine to properly appreciate yet. But this is what I'd try myself. N.B. you probably want to also apply the similar ACL to querying the cache, lest 192.168.1.20 & 192.168.1.21 be able get things out of cache that 192.168.1.10 & 192.168.1.11 queried from ${UPSTREAM_DNS_PROVIDER}. Grant. . . . -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: host restriction
Zoltan, There may be another way to make this work but this is what comes to my mine: acl’s in a view. https://kb.isc.org/docs/aa-00851 # named.conf acl google-is-good { 192.168.7.0/24; localhost; }; acl google-is-evil { 192.168.8.0/24; }; view google-good { match-clients { google-is-good; }; allow-recursion { any; }; forwarders { 8.8.8.8; }; }; view google-evil { match-clients { google-is-evil; }; allow-recursion { any; }; }; You *might* be able to whack the acl down to like a /28 or a /29 while keeping your DHCP scope at a /24. This will allow you to perform view testing without needing to rip n replace DHCP configs. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kereszt Vezeték Sent: Monday, May 15, 2023 1:58 PM To: bind-users@lists.isc.org Subject: host restriction Hi Everybody Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24<http://192.168.1.0/24> 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 Thank you regards Zoltan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
host restriction
Hi Everybody Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 Thank you regards Zoltan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users