[rhelv6-list] Bind 9.8 and unable to query from internal view

Antonio Lopez cubodebits at gmail.com
Thu Dec 20 14:45:52 UTC 2012 

Check allow-quey directive

2012/12/20 francis picabia <fpicabia at gmail.com>

> Hi,
>
> I'd really appreciate some help on this. I thought this was working when
> testing,
> but today when rolling it into production it fails me.
>
> I have internal and external views in named.conf
>
> The goal is to allow everyone (in and out) to query my domain,
> but allow only internal users to query the outside world.
>
> We had this working before in Redhat 5, but something has changed and
> it isn't working for RH 6.
>
> The strange thing is, I can do queries of the outside OK from
> the DNS server, or from systems on the same subnet.
>
> The ones I want to let use the view, seem to match the view,
> but are blocked:
>
> Dec 20 10:14:58 sedna named[7574]: 20-Dec-2012 10:14:58.759 security:
> info: client XXX.YYY.200.66#55286: view internal: query (cache) '
> onmail.com/MX/IN' denied
>
> acl "local_lan" {
>       XXX.YYY.0.0/16;
>       127.0.0.1;
> };
>
> view "internal"
> {
> /* This view will contain zones you want to serve only to "internal"
> clients
>    that connect via your directly attached LAN interfaces - "localnets" .
>  */
>         match-clients           { local_lan; XXX.YYY.1.3; };
>         match-destinations      { any; };
>         recursion yes;
>         additional-from-auth yes;
>         additional-from-cache yes;
>         empty-zones-enable yes;
>         notify yes;
>         allow-transfer { adcs; XXX.YYYY.1.3; };
>         also-notify { XXX.YYY.200.67; XXX.YYY.200.66; XXX.YYY.1.3;};
>         // all views must contain the root hints zone:
>         include "/etc/named.root.hints";
>
>         include "/etc/named.rfc1912.zones";
>
>         zone "mydomain.ca" in {
>           type master;
>           file "forward/mydomain.ca";
>         };
>
>         zone "XXX.YYY.in-addr.arpa" in {
>            type master;
>           file "reverse/db.XXX.YYY.rev";
>         };
>
>
> };
>
>
> I've changed the first digits of my network IPs to XXX.YYY.
>
> The DNS system is on XXX.YYY.2.48, and systems on subnet 2 can query it OK.
> Other systems which should fall in the /16 network are not able to query.
>
> It seems like there is something about Bind 9.8 I'm missing.
> Running BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5
>
>
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>



-- 

*
*

“software is like sex, its better when its free”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-list/attachments/20121220/5af85949/attachment.htm>

More information about the rhelv6-list mailing list