Date: Sun, 3 Nov 2002 00:05:13 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: caching nameserver (was Resolving hostnames takes "forever") Message-ID: <20021103000513.GA4626@happy-idiot-talk.infracaninophi> In-Reply-To: <3DC4522A.5080908@mac.com> References: <200211021432.19756.freebsd.nospam@mekanix.dk> <20021102144105.GA1116@happy-idiot-talk.infracaninophi> <1036250840.74419.67.camel@prometheus> <20021102173007.GC1116@happy-idiot-talk.infracaninophi> <3DC4522A.5080908@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 02, 2002 at 02:31:06PM -0800, paul beard wrote:
> Matthew Seaman wrote:
> >to /etc/rc.conf, and put the IP number of your server as the first
> >choice in /etc/resolv.conf:
> >
> > nameserver 12.34.56.78
> >
> >for the correct value of "12.34.56.78"
>
> I've done this, but I can't get 192.168.2.1 to resolved addresses
> in nslookup unless I drop into interactive mode and specify it.
That's nslookup for you. You don't seem to have a reverse domain for
2.168.192.in-addr.arpa set up anywhere, so nslookup throws a wobbly
about being asked to look stuff up at an address in that range.
There's a reason it's been deprecated in BIND 9. Two much better
tools are 'host' and 'dig'. Try:
host ftp.freebsd.org
dig ftp.freebsd.org
> >Note however that this configuration will allow anyone on the net who
> >can get packets to port 53 of your server to use your named to do
> >recursive lookups --- consult the named.conf(5) man page and the
> >documentation at http://www.isc.org/products/BIND/docs/index.html to
> >find out how to configure it better.
>
> This looks like something you can do with an acl to permit only
> your local network(s). I'm not sure how I invoke it after I set it.
>
> As near as I can make out, this is what I need to permit only
> queries from my local network.
>
> // acl list
> acl home {
> 192.168.2/255.255.255.0
> };
You're missing a ';' amongst other things --- named.conf likes to have
a liberal sprinkling of semi-colons.
acl "home" {
192.168.2.0/24;
};
Note that it's 'network address / length of netmask'. You don't have
to put quotes around the acl name, but it's good practice to avoid
potential conflict with key words.
The acl definitions are top level statements in the config file,
ie. outside the 'options' block.
> allow_query {
> address_match_list (home);
> };
There are four built in acl's that you can use. 'localhost' is a
list of all the configured interfaces on the server and 'localnets'
is a list of all the directly attached networks. Then there's 'any'
and 'none' which are self explanatory.
Just write the name of the acl literally in the allow-query or
allow-recursion or whatever statement. eg:
allow-query {
localnets;
};
or
allow-recursion {
"home";
};
If you used quotes in the definition of the acl, then you should use
them for any reference to the acl.
These can be put into the options { }; block, which makes them into
default values for the whole server, or they may be inserted into a
view { }; or zone { }; statement to have a more narrow effect.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021103000513.GA4626>