From owner-freebsd-questions@FreeBSD.ORG Sun Jul 4 05:28:41 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FE9C106566B for ; Sun, 4 Jul 2010 05:28:41 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id E7D7E8FC1F for ; Sun, 4 Jul 2010 05:28:40 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o645Rrge071067 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 4 Jul 2010 06:27:55 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C301BD9.30405@infracaninophile.co.uk> Date: Sun, 04 Jul 2010 06:27:53 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: Chris Maness References: <4C2CA73E.9010700@infracaninophile.co.uk> <4C2F9503.5020801@infracaninophile.co.uk> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 05:28:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/07/2010 22:29:46, Chris Maness wrote: > Ahhh, I see I need to add: > > allow-query { any; }; > > to my authoritative zones. > > Thanks it all works now. Great. > p.s. So was this a change in the default behavior of BIND over the > years? Because I don't think my named.conf has been changed, and this > used to work for any hosts. The built-in access control rules have evolved over time, certainly. However, this hasn't changed since BIND 9.6 was released, and possibly longer than that. RELENG_8 and above have contained BIND 9.6.x from the point where the branch was created, but RELENG_7 contains BIND 9.4.x -- so if you've done an upgrade from 7.x to 8.x recently it might explain your experiences. The pre-canned configuration that comes with FreeBSD is suitable for use as a localhost-only recursive resolver: if you want to serve a whole network of machines or add authoritative data then you will need to modify it or craft your own named.conf, an important part of which is setting up ACLs to control what you will serve to who. This is a very useful reference: http://www.cymru.com/Documents/secure-bind-template.html Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwwG9kACgkQ8Mjk52CukIyPdwCeKKNIRAl3xfGRlyRovx4tMu/f flcAn1aoYlhHv1VO4hCrLFKCyBGG8N/R =3N80 -----END PGP SIGNATURE-----