Re: Views and Blackhole

Tue, 18 Nov 2008 00:02:50 -0800 

Remove your subnet from the bogons ACL at the beginning.

acl bogons {
        ! 192.168.16.0/21;
        0.0.0.0/8;
        [...]
        192.168.0.0/16;
        [...]
};

Chris Buxton
Professional Services
Men & Mice

On Nov 17, 2008, at 8:38 PM, root net wrote:


Hello,
I have a server I am testing before I put in production. Working on a more secure bind config. BTW if anyone has any other suggestions on locking down bind beside below and chroot let me know. I was adding views which has been debated time and time again whether or not it really helps but anyway. My problem is I have the latest bogons from team-cymru which includes my internal network subnet 192.168.16.0/21. So in the bogons list it says 192.168.0.0/16 which is blackholed. So my local network is being blackholed but it works fine when users not on the bogons query the server from the external view. My question is how can I get this to work without adding each cidr block of the 192.168.0.0/16 separately or even breaking it up in /21s? I have tried everything I know how. A sanitized portion of my named.conf is this: 

//For length sakes I took out the other networks.....

acl i_lan { 127.0.0.1; 192.168.16.0/21};
acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
acl bogons { 0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    5.0.0.0/8;
    192.168.0.0/16;
    198.18.0.0/15;
    223.0.0.0/8;
    224.0.0.0/3;
};

options {
          version "Go Away";
          directory "/var/named";
          dump-file "/var/dump/named_dump.db";
          pid-file "/var/run/named/named.pid";
          statistics-file "/var/stats/named.stats";
          recursion no;
          allow-query { any; };
          listen-on { 127.0.0.1; 192.168.16.2;};
          recursive-clients 1000;
          tcp-clients 1000;
          auth-nxdomain yes;
          blackhole { bogons; };

view "internal" {
      match-clients { i_lan; };
      notify no;
      recursion yes;
      allow-transfer { i_dns;};
zone "localhost" {
      type master;
      file "localhost.zone";
};
zone "127.in-addr.arpa" {
      type master;
      file "localhost.zone";
};
zone "0.in-addr.arpa" {
      type master;
      file "named.zero";
};
zone "255.in-addr.arpa" {
      type master;
      file "named.broadcast";

// zones go here
};

view "external" {
      match-clients { !i_lan; any; } ;
      recursion no;
      allow-transfer { i_dns;};
// zones go here
};


Any help is appreciated and thanks in advanced.

RootNet08
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to