[CentOS] Bind acl statement issue

Thu Jun 12 07:50:55 UTC 2008
Indunil Jayasooriya <indunil75 at gmail.com>

Hi,

Here's ONE .


//
// named.conf for Red Hat caching-nameserver
//

options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       /*
        * If there is a firewall between you and nameservers you want
        * to talk to, you might need to uncomment the query-source
        * directive below.  Previous versions of BIND always asked
        * questions using port 53, but BIND 8.1 uses an unprivileged
        * port by default.
        */
       // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
       inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

// ACL statement

acl "trusted-subnet" { 192.168.3.0/24; 192.168.2.0/24; 192.168.4.0/24; };

view "internal" { //what the internal network will see

       match-clients { localnets; localhost; "trusted-subnet"; };

       zone "." IN {
               type hint;
               file "named.ca";
       };

       zone "localdomain" IN {
               type master;
               file "localdomain.zone";
               allow-update { none; };
       };

       zone "localhost" IN {
               type master;
               file "localhost.zone";
               allow-update { none; };
       };

       zone "0.0.127.in-addr.arpa" IN {
               type master;
               file "named.local";
               allow-update { none; };
       };

       zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
               type master;
               file "named.ip6.local";
               allow-update { none; };
       };

       zone "255.in-addr.arpa" IN {
               type master;
               file "named.broadcast";
               allow-update { none; };
       };

       zone "0.in-addr.arpa" IN {
               type master;
               file "named.zero";
               allow-update { none; };
       };

       zone "abc.com" IN {
               type master;
               file "internal.abc.zone";
               allow-update { none; };
               allow-query { any; };
       };

       zone "2.168.192.in-addr.arpa" IN {
               type master;
               file "internal.reverse.abc.zone";
               allow-update { none; };
               allow-query { any; };
       };

       zone "3.168.192.in-addr.arpa" IN {
               type master;
               file "internal_LAN.reverse.abc.zone";
               allow-update { none; };
               allow-query { any; };
       };
};

view "external" { // what the Internet will see

       match-clients { any; };
//      recursion no;

       zone "abc.com" IN {
               type master;
               file "abc.zone";
               allow-update { none; };
               allow-query { any; };
       };

       zone "138.165.222.in-addr.arpa" IN {
               type master;
               file "reverse.abc.zone";
               allow-update { none; };
               allow-query { any; };
       };
};

include "/etc/rndc.key";



Hope the above is what u r in search of.

GOOD LUCK



On Thu, Jun 12, 2008 at 1:11 PM, Tim Verhoeven
<tim.verhoeven.be at gmail.com> wrote:
> On Thu, Jun 12, 2008 at 1:09 AM, Joseph L. Casale
> <JCasale at activenetwerx.com> wrote:
>> >From the manual, localnets matches hosts belonging to a network for which the server
>> has an interface in. I have a dns server in a dmz with an ip of 192.168.2.2 in /24. Named.conf
>> has 3 views, localhost_resolver -> localhost, internal -> localnets, and external -> !localnets; !localhost.
>>
>> I have a management workstation in 192.168.0.0/24 that is connecting and receiving the following
>> debug:
>> client 192.168.0.44#2188: no matching view in class 'IN'
>>
>> I don't get it? Obvioulsy if I add all to the external view, it works. How is the failing?
>
> Could you post your complete named.conf file so that we can have a look at it ?
>
> Regards,
> Tim
>
> --
> Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83
>
> Hoping the problem magically goes away by ignoring it is the
> "microsoft approach to programming" and should never be allowed.
> (Linus Torvalds)
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Thank you
Indunil Jayasooriya