[CentOS] BIND with ACLs

Tue Dec 12 00:22:33 UTC 2006
Adriano Frare <alfrare at e-alinux.com>

Dear Friends,

I created um DNS server for network Internal and External same SERVER, 
but the control by ACLs in named.conf don't work, when I active ACLs the 
server don't resoluction external domain names.

Please, check NAMED.CONF file.

//
// named.conf for Red Hat caching-nameserver
//

options {
         directory "/var/named/";
         dump-file "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         /*
          * If there is a firewall between you and nameservers you want
          * to talk to, you might need to uncomment the query-source
          * directive below.  Previous versions of BIND always asked
          * questions using port 53, but BIND 8.1 uses an unprivileged
          * port by default.
          */
          // query-source address * port 53;


         allow-query {
                 127.0.0.1/32;
                 192.168.1.0/24;
                 200.245.88.23/32;
                 200.162.222.37/32;};

         allow-transfer { 127.0.0.1/32;
                     192.168.1.0/24;
                     200.162.222.37/32;
                     195.20.105.149/32;
                     193.111.27.194/32;
                     194.145.96.21/32;
                     193.23.158.13;};

         allow-recursion { 127.0.0.1/32;
                     192.168.1.0/24;
                     200.162.222.37/32;};

//        allow-notify { 127.0.0.1/32;
//                    200.245.88.23/32;};

};
// LOG
logging {
    channel query-log {
       file "/var/named/data/query-log" versions 5 size 50m;
    };
    category queries { query-log; };
};

acl internals {
                 192.168.1/24;
                 127/8;
};

//
// a caching only nameserver config
//
controls {
         inet 127.0.0.1 port 953 allow { localhost; } keys { rndckey; };
};

view "external" {
     match-clients { any; };
     recursion no;

zone "conntrust.com" IN {
         type master;
         file "conntrust.com.hosts";
         allow-update {none;};
         allow-query {any;};
         allow-transfer {any;};
};


zone "whitelist.conntrust.com" IN {
         type master;
         file "whitelist.conntrust.com.hosts";
         allow-update {none;};
         allow-query {any;};
         allow-transfer {any;};
};

}; //acl external

view "internal" {
     match-clients { internals; };
     recursion yes;



zone "." IN {
         type hint;
         file "named.ca";
};

zone "localdomain" IN {
         type master;
         file "localdomain.zone";
//      allow-update { none; };
};

zone "localhost" IN {
         type master;
         file "localhost.zone";
//      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "named.local";
//      allow-update { none; };
};

zone 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" 
IN {
         type master;
         file "named.ip6.local";
//      allow-update { none; };
};

zone "255.in-addr.arpa" IN {
         type master;
         file "named.broadcast";
//      allow-update { none; };
};

zone "0.in-addr.arpa" IN {
         type master;
         file "named.zero";
//      allow-update { none; };
};


     zone "conntrust.com" IN {
         type master;
         file "internal.conntrust.com.hosts";
       allow-update { internals; };

     };


}; // acl internal

include "/etc/rndc.key";


Thanks


Adriano