From owner-freebsd-questions@FreeBSD.ORG Mon Jul 5 10:59:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 973521065670 for ; Mon, 5 Jul 2010 10:59:16 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 134A68FC12 for ; Mon, 5 Jul 2010 10:59:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o65AwUKR059939; Mon, 5 Jul 2010 20:58:32 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 5 Jul 2010 20:58:30 +1000 (EST) From: Ian Smith To: Chris Maness In-Reply-To: <20100704120016.B051C10656DF@hub.freebsd.org> Message-ID: <20100705201412.I54166@sola.nimnet.asn.au> References: <20100704120016.B051C10656DF@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 10:59:16 -0000 In freebsd-questions Digest, Vol 317, Issue 13, Message: 14 On Sat, 3 Jul 2010 14:20:01 -0700 Chris Maness wrote: > Ok, it is working for the local net now, but it is no longer working > as an authoritative server for my zones. > > Here is the current config: > > // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25 > 02:59:29 kensmith Exp $ > // > // Refer to the named.conf(5) and named(8) man pages, and the documentation > // in /usr/share/doc/bind9 for more details. Indeed, the ARM be deep and wide, but pretty well essential reading .. [..] > // Set up an ACL called our-nets. Replace this with the real IP numbers. > > acl our-nets { 192.168.1.0/24; 76.238.148.145/24; 127.0.0.1; }; > > options { > // Relative to the chroot directory, if any > directory "/etc/namedb"; > pid-file "/var/run/named/pid"; > dump-file "/var/dump/named_dump.db"; > statistics-file "/var/stats/named.stats"; > allow-transfer { > 76.238.148.146; }; > allow-query { our-nets; }; > allow-recursion { our-nets; }; > }; What Matthew said, of course .. just to add that: Anything set in options is global, so here 'allow-query { our-nets; };' is why you later found the need, in Message: 15 :) [..] > Ahhh, I see I need to add: > > allow-query { any; }; > > to my authoritative zones. > > Thanks it all works now. > > Chris Maness > > > p.s. So was this a change in the default behavior of BIND over the > years? Because I don't think my named.conf has been changed, and this > used to work for any hosts. I gather you didn't have that acl limiting queries to our-net before .. and yes bind is always on the move, keeping ahead of the moving badguys. cheers, Ian