Date: Sun, 04 Jul 2010 06:27:53 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chris Maness <chris@chrismaness.com> Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts Message-ID: <4C301BD9.30405@infracaninophile.co.uk> In-Reply-To: <AANLkTilXU4_O6rIFXtZ_A4223kWwxxzRLNgQX1qWIKis@mail.gmail.com> References: <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com> <AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com> <AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk@mail.gmail.com> <AANLkTikp3KxZ3hwo5o5Zv2jS7Q9unVvXmXSVB0HBgkdZ@mail.gmail.com> <4C2CA73E.9010700@infracaninophile.co.uk> <AANLkTilcO5uZnUceNyqBf3rLv1KoJXNfI9df3xtNcKIu@mail.gmail.com> <4C2F9503.5020801@infracaninophile.co.uk> <AANLkTikfS7tt1xNLdjuKCw-JH7fysMZtIx89MEQyEwQJ@mail.gmail.com> <AANLkTimeWoB3d1hiRGfPXD7hgPrlbySIy52pEhBRLh1t@mail.gmail.com> <AANLkTilXU4_O6rIFXtZ_A4223kWwxxzRLNgQX1qWIKis@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/07/2010 22:29:46, Chris Maness wrote:
> Ahhh, I see I need to add:
>
> allow-query { any; };
>
> to my authoritative zones.
>
> Thanks it all works now.
Great.
> p.s. So was this a change in the default behavior of BIND over the
> years? Because I don't think my named.conf has been changed, and this
> used to work for any hosts.
The built-in access control rules have evolved over time, certainly.
However, this hasn't changed since BIND 9.6 was released, and possibly
longer than that. RELENG_8 and above have contained BIND 9.6.x from the
point where the branch was created, but RELENG_7 contains BIND 9.4.x --
so if you've done an upgrade from 7.x to 8.x recently it might explain
your experiences.
The pre-canned configuration that comes with FreeBSD is suitable for use
as a localhost-only recursive resolver: if you want to serve a whole
network of machines or add authoritative data then you will need to
modify it or craft your own named.conf, an important part of which is
setting up ACLs to control what you will serve to who. This is a very
useful reference:
http://www.cymru.com/Documents/secure-bind-template.html
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwwG9kACgkQ8Mjk52CukIyPdwCeKKNIRAl3xfGRlyRovx4tMu/f
flcAn1aoYlhHv1VO4hCrLFKCyBGG8N/R
=3N80
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C301BD9.30405>