Views and Blackhole

Mon, 17 Nov 2008 22:26:00 -0800 

Hello,

I have a server I am testing before I put in production.  Working on a more
secure bind config.  BTW if anyone has any other suggestions on locking down
bind beside below and chroot let me know.  I was adding views which has been
debated time and time again whether or not it really helps but anyway.  My
problem is I have the latest bogons from team-cymru which includes my
internal network subnet 192.168.16.0/21.  So in the bogons list it says
192.168.0.0/16 which is blackholed.  So my local network is being blackholed
but it works fine when users not on the bogons query the server from the
external view.  My question is how can I get this to work without adding
each cidr block of the 192.168.0.0/16 separately or even breaking it up in
/21s? I have tried everything I know how.  A sanitized portion of my
named.conf is this:

//For length sakes I took out the other networks.....

acl i_lan { 127.0.0.1; 192.168.16.0/21};
acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
acl bogons { 0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    5.0.0.0/8;
    192.168.0.0/16;
    198.18.0.0/15;
    223.0.0.0/8;
    224.0.0.0/3;
};

options {
          version "Go Away";
          directory "/var/named";
          dump-file "/var/dump/named_dump.db";
          pid-file "/var/run/named/named.pid";
          statistics-file "/var/stats/named.stats";
          recursion no;
          allow-query { any; };
          listen-on { 127.0.0.1; 192.168.16.2;};
          recursive-clients 1000;
          tcp-clients 1000;
          auth-nxdomain yes;
          blackhole { bogons; };

view "internal" {
      match-clients { i_lan; };
      notify no;
      recursion yes;
      allow-transfer { i_dns;};
zone "localhost" {
      type master;
      file "localhost.zone";
};
zone "127.in-addr.arpa" {
      type master;
      file "localhost.zone";
};
zone "0.in-addr.arpa" {
      type master;
      file "named.zero";
};
zone "255.in-addr.arpa" {
      type master;
      file "named.broadcast";

// zones go here
};

view "external" {
      match-clients { !i_lan; any; } ;
      recursion no;
      allow-transfer { i_dns;};
// zones go here
};


Any help is appreciated and thanks in advanced.

RootNet08

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to