Date: Mon, 5 Jul 2010 20:58:30 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Chris Maness <chris@chrismaness.com> Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts Message-ID: <20100705201412.I54166@sola.nimnet.asn.au> In-Reply-To: <20100704120016.B051C10656DF@hub.freebsd.org> References: <20100704120016.B051C10656DF@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 317, Issue 13, Message: 14
On Sat, 3 Jul 2010 14:20:01 -0700 Chris Maness <chris@chrismaness.com> wrote:
> Ok, it is working for the local net now, but it is no longer working
> as an authoritative server for my zones.
>
> Here is the current config:
>
> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
> 02:59:29 kensmith Exp $
> //
> // Refer to the named.conf(5) and named(8) man pages, and the documentation
> // in /usr/share/doc/bind9 for more details.
Indeed, the ARM be deep and wide, but pretty well essential reading ..
[..]
> // Set up an ACL called our-nets. Replace this with the real IP numbers.
>
> acl our-nets { 192.168.1.0/24; 76.238.148.145/24; 127.0.0.1; };
>
> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-transfer {
> 76.238.148.146; };
> allow-query { our-nets; };
> allow-recursion { our-nets; };
> };
What Matthew said, of course .. just to add that:
Anything set in options is global, so here 'allow-query { our-nets; };'
is why you later found the need, in Message: 15 :)
[..]
> Ahhh, I see I need to add:
>
> allow-query { any; };
>
> to my authoritative zones.
>
> Thanks it all works now.
>
> Chris Maness
>
>
> p.s. So was this a change in the default behavior of BIND over the
> years? Because I don't think my named.conf has been changed, and this
> used to work for any hosts.
I gather you didn't have that acl limiting queries to our-net before ..
and yes bind is always on the move, keeping ahead of the moving badguys.
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100705201412.I54166>