Bind acl statement issue

List overview All Threads
Download

newer

older

LDAP syncrepl incompatibility...

Reg. setting Domain name on Cento...

Joseph L. Casale

12 Jun 2008 12 Jun '08

1:09 a.m.

...

From the manual, localnets matches hosts belonging to a network for which the server

has an interface in. I have a dns server in a dmz with an ip of 192.168.2.2 in /24. Named.conf has 3 views, localhost_resolver -> localhost, internal -> localnets, and external -> !localnets; !localhost.

I have a management workstation in 192.168.0.0/24 that is connecting and receiving the following debug: client 192.168.0.44#2188: no matching view in class 'IN'

I don't get it? Obvioulsy if I add all to the external view, it works. How is the failing?

Thanks! jlc

Show replies by date

Tim Verhoeven

12 Jun 12 Jun

9:41 a.m.

On Thu, Jun 12, 2008 at 1:09 AM, Joseph L. Casale JCasale@activenetwerx.com wrote:

...

...
From the manual, localnets matches hosts belonging to a network for which the server

has an interface in. I have a dns server in a dmz with an ip of 192.168.2.2 in /24. Named.conf has 3 views, localhost_resolver -> localhost, internal -> localnets, and external -> !localnets; !localhost.

I have a management workstation in 192.168.0.0/24 that is connecting and receiving the following debug: client 192.168.0.44#2188: no matching view in class 'IN'

I don't get it? Obvioulsy if I add all to the external view, it works. How is the failing?

Could you post your complete named.conf file so that we can have a look at it ?

Regards, Tim

-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)

Indunil Jayasooriya

9:50 a.m.

Hi,

Here's ONE .

// // named.conf for Red Hat caching-nameserver //

options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; };

// // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; };

// ACL statement

acl "trusted-subnet" { 192.168.3.0/24; 192.168.2.0/24; 192.168.4.0/24; };

view "internal" { //what the internal network will see

match-clients { localnets; localhost; "trusted-subnet"; };

zone "." IN { type hint; file "named.ca"; };

zone "localdomain" IN { type master; file "localdomain.zone"; allow-update { none; }; };

zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; };

zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; };

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.ip6.local"; allow-update { none; }; };

zone "255.in-addr.arpa" IN { type master; file "named.broadcast"; allow-update { none; }; };

zone "0.in-addr.arpa" IN { type master; file "named.zero"; allow-update { none; }; };

zone "abc.com" IN { type master; file "internal.abc.zone"; allow-update { none; }; allow-query { any; }; };

zone "2.168.192.in-addr.arpa" IN { type master; file "internal.reverse.abc.zone"; allow-update { none; }; allow-query { any; }; };

zone "3.168.192.in-addr.arpa" IN { type master; file "internal_LAN.reverse.abc.zone"; allow-update { none; }; allow-query { any; }; }; };

view "external" { // what the Internet will see

match-clients { any; }; // recursion no;

zone "abc.com" IN { type master; file "abc.zone"; allow-update { none; }; allow-query { any; }; };

zone "138.165.222.in-addr.arpa" IN { type master; file "reverse.abc.zone"; allow-update { none; }; allow-query { any; }; }; };

include "/etc/rndc.key";

Hope the above is what u r in search of.

GOOD LUCK

On Thu, Jun 12, 2008 at 1:11 PM, Tim Verhoeven tim.verhoeven.be@gmail.com wrote:

...

On Thu, Jun 12, 2008 at 1:09 AM, Joseph L. Casale JCasale@activenetwerx.com wrote:

...
...
From the manual, localnets matches hosts belonging to a network for which the server

has an interface in. I have a dns server in a dmz with an ip of 192.168.2.2 in /24. Named.conf has 3 views, localhost_resolver -> localhost, internal -> localnets, and external -> !localnets; !localhost.

I have a management workstation in 192.168.0.0/24 that is connecting and receiving the following debug: client 192.168.0.44#2188: no matching view in class 'IN'

I don't get it? Obvioulsy if I add all to the external view, it works. How is the failing?

Could you post your complete named.conf file so that we can have a look at it ?

Regards, Tim

-- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83

Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds) _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-- Thank you Indunil Jayasooriya

Joseph L. Casale

3:26 p.m.

...

view "external" { // what the Internet will see
  match-clients { any; };

It looks like the example file's "external -> !localnets; !localhost" wouldn't match anything? I also used "any" and everything is fine. It appears as Bind will stop once matched so this is safe.

Thanks! jlc

6029

Age (days ago)

6030

Last active (days ago)

discuss@lists.centos.org

3 comments

3 participants

tags (0)

participants (3)

Indunil Jayasooriya
Joseph L. Casale
Tim Verhoeven