From owner-freebsd-questions@FreeBSD.ORG  Sat Jul  3 21:04:36 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 180901065674
	for <freebsd-questions@freebsd.org>;
	Sat,  3 Jul 2010 21:04:36 +0000 (UTC)
	(envelope-from christopher.maness@gmail.com)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id CB1968FC35
	for <freebsd-questions@freebsd.org>;
	Sat,  3 Jul 2010 21:04:35 +0000 (UTC)
Received: by iwn35 with SMTP id 35so2519267iwn.13
	for <freebsd-questions@freebsd.org>;
	Sat, 03 Jul 2010 14:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:sender:received
	:in-reply-to:references:date:x-google-sender-auth:message-id:subject
	:from:to:cc:content-type:content-transfer-encoding;
	bh=V+nnPwdyGvdQ8H4pQses+BnQATJ3Z9yZvV2VwQ1tw7w=;
	b=XgSJ5xhepRgJLchhCxC0VXhiy95cQw+GJE4ylIV1LEEGoh11M0n2+ZoRlW7A3zJ4Ra
	dTtvwkiNnC9fi1QVQ/Se/E+nZhqqBSaUvIn4hSgqT9idvqMLoGRwsp6s9UC1vvm/Gyso
	suXLCYJvLW+f6WKtCAb6ASaGbGXuCYnIHPIbA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	b=n/W7N/pS5GUjj29k/bcjZUeV1n80unFP319aUGgkH6Zw3R/VC7p+UyfeFWls0+Kcrh
	CxE5cjp+0Itoz5r833Xh7Z5j48jdZBkpjaec7HdpWzK/lIxpjxVPWbzaJexAgdA2/ybg
	no2cl/GdsMsv1jPS4tncm7r8CN5VsAPAytf2w=
MIME-Version: 1.0
Received: by 10.231.183.131 with SMTP id cg3mr897180ibb.51.1278191075135; Sat, 
	03 Jul 2010 14:04:35 -0700 (PDT)
Sender: christopher.maness@gmail.com
Received: by 10.231.158.195 with HTTP; Sat, 3 Jul 2010 14:04:35 -0700 (PDT)
In-Reply-To: <4C2F9503.5020801@infracaninophile.co.uk>
References: <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com>
	<AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com>
	<AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk@mail.gmail.com>
	<AANLkTikp3KxZ3hwo5o5Zv2jS7Q9unVvXmXSVB0HBgkdZ@mail.gmail.com>
	<4C2CA73E.9010700@infracaninophile.co.uk>
	<AANLkTilcO5uZnUceNyqBf3rLv1KoJXNfI9df3xtNcKIu@mail.gmail.com>
	<4C2F9503.5020801@infracaninophile.co.uk>
Date: Sat, 3 Jul 2010 14:04:35 -0700
X-Google-Sender-Auth: FXcEUM595VjDiso-Ubx00IKgQAE
Message-ID: <AANLkTikfS7tt1xNLdjuKCw-JH7fysMZtIx89MEQyEwQJ@mail.gmail.com>
From: Chris Maness <chris@chrismaness.com>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: BIND Refusing to Resolve for External Hosts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jul 2010 21:04:36 -0000

On Sat, Jul 3, 2010 at 12:52 PM, Matthew Seaman
<m.seaman@infracaninophile.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/07/2010 20:28:27, Chris Maness wrote:
>> Including the line:
>>
>> acl public-nets { 127.0.0.1; ::1; }
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ^
> You need a semi-colon here __________|

I am on gmail with variable width font.  I am not sure exactly where I
need the semi colon.

>
> Just defining the acl won't do a great deal on its own -- you need to
> add it to an allow-recursion {}; or similar block.
>

Sorry, Matt.  I haven't had to mess with the configuration file in 10
years.  Everything just worked until recently (probably the upgrade).
I am running a small Web/DNS/Mail server in my house.  I like using a
local recursive server as it has been faster than the alternatives in
the past.  Currently, my local net is using the DSL router as its
upstream DNS.  So without rambling too much.  I am a bit simple at
this stuff, and a little confused.  I could switch to another DNS
server, but for academic purposes, I want to learn this stuff.  I am
looking at some example files from the ISC link you sent me:

http://www.isc.org/files/arm96.html#sample_configuration

I was thinking of just rebuilding the file from scratch as my current
file is greek to me.  However, the examples posted are for recursive
only and authoritative only.  Since my server is a hybrid, I am
wondering which directives might interfere with the other.

Moreover I had a look at the security section from that link:

http://www.isc.org/files/arm96.html#Bv9ARM.ch07

Here is what I added to my named.conf.  I guess over time they have
increased the default security of BIND so that old files don't allow
recursion from outside hosts by default.

// Set up an ACL called our-nets. Replace this with the real IP numbers.

acl our-nets { 192.168.1.0/24; };

options {
        // Relative to the chroot directory, if any
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        allow-transfer {
                76.238.148.146;
        allow-query { our-nets; };
        allow-recursion { our-nets; };
        };


Thanks,
Chris Maness