From owner-freebsd-questions  Sat Nov  2 16: 5:33 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A1F3B37B401
	for <freebsd-questions@FreeBSD.ORG>; Sat,  2 Nov 2002 16:05:30 -0800 (PST)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3AD2E43E3B
	for <freebsd-questions@FreeBSD.ORG>; Sat,  2 Nov 2002 16:05:29 -0800 (PST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gA305IMO004761
	for <freebsd-questions@FreeBSD.ORG>; Sun, 3 Nov 2002 00:05:19 GMT
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gA305DFm004760
	for freebsd-questions@FreeBSD.ORG; Sun, 3 Nov 2002 00:05:13 GMT
Date: Sun, 3 Nov 2002 00:05:13 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: freebsd-questions@FreeBSD.ORG
Subject: Re: caching nameserver (was Resolving hostnames takes "forever")
Message-ID: <20021103000513.GA4626@happy-idiot-talk.infracaninophi>
Mail-Followup-To: Matthew Seaman <matthew@FreeBSD.ORG>,
	freebsd-questions@FreeBSD.ORG
References: <200211021432.19756.freebsd.nospam@mekanix.dk> <20021102144105.GA1116@happy-idiot-talk.infracaninophi> <1036250840.74419.67.camel@prometheus> <20021102173007.GC1116@happy-idiot-talk.infracaninophi> <3DC4522A.5080908@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3DC4522A.5080908@mac.com>
User-Agent: Mutt/1.5.1i
X-Spam-Status: No, hits=-14.7 required=5.0
	tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_02_03,
	      USER_AGENT,USER_AGENT_MUTT
	version=2.41
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, Nov 02, 2002 at 02:31:06PM -0800, paul beard wrote:
> Matthew Seaman wrote:

> >to /etc/rc.conf, and put the IP number of your server as the first
> >choice in /etc/resolv.conf:
> >
> >    nameserver 12.34.56.78
> >
> >for the correct value of "12.34.56.78"
> 
> I've done this, but I can't get 192.168.2.1 to resolved addresses 
> in nslookup unless I drop into interactive mode and specify it. 

That's nslookup for you.  You don't seem to have a reverse domain for
2.168.192.in-addr.arpa set up anywhere, so nslookup throws a wobbly
about being asked to look stuff up at an address in that range.
There's a reason it's been deprecated in BIND 9.  Two much better
tools are 'host' and 'dig'.  Try:

    host ftp.freebsd.org

    dig ftp.freebsd.org
 
> >Note however that this configuration will allow anyone on the net who
> >can get packets to port 53 of your server to use your named to do
> >recursive lookups --- consult the named.conf(5) man page and the
> >documentation at http://www.isc.org/products/BIND/docs/index.html to
> >find out how to configure it better.
> 
> This looks like something you can do with an acl to permit only 
> your local network(s). I'm not sure how I invoke it after I set it.
> 
> As near as I can make out, this is what I need to permit only 
> queries from my local network.
> 
> // acl list
>    acl home {
>       192.168.2/255.255.255.0
>    };

You're missing a ';' amongst other things --- named.conf likes to have
a liberal sprinkling of semi-colons.

    acl "home" {
        192.168.2.0/24;
    };

Note that it's 'network address / length of netmask'. You don't have
to put quotes around the acl name, but it's good practice to avoid
potential conflict with key words.

The acl definitions are top level statements in the config file,
ie. outside the 'options' block.
 
> allow_query {
>    address_match_list (home);
>    };

There are four built in acl's that you can use.  'localhost' is a
list of all the configured interfaces on the server and 'localnets'
is a list of all the directly attached networks.  Then there's 'any'
and 'none' which are self explanatory.

Just write the name of the acl literally in the allow-query or
allow-recursion or whatever statement. eg:

    allow-query {
        localnets;
    };

or 

    allow-recursion {
        "home";
    };

If you used quotes in the definition of the acl, then you should use
them for any reference to the acl.

These can be put into the options { }; block, which makes them into
default values for the whole server, or they may be inserted into a
view { }; or zone { }; statement to have a more narrow effect.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message