transfer zony do lokalnej siete

Lubomir Majersky lumax at in.acompp.sk
Thu Aug 9 22:22:18 CEST 2007
Previous message: ftp
Next message: transfer zony do lokalnej siete
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Zdravim Vas,

	najskor uvadzam cast named.conf (BIND 9.3.3), aby som za tym popisal 
dva stavy:


// Access list
acl "xfer" { 192.168.1.0/24; 195.98.29.154; 195.98.29.155; };
acl "trusted" { 127.0.0.1; 192.168.1.0/24; };
//Zoznam zakazanych sieti, ktore su podla IANA ako testovacie, RFC1918, 
Multicast, experimentalne...
acl "bogon" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 5.0.0.0/8; 10.0.0.0/8; 
23.0.0.0/8; 27.0.0.0/8;
31.0.0.0/8; 36.0.0.0/8; 37.0.0.0/8; 39.0.0.0/8; 42.0.0.0/8; 46.0.0.0/8; 
49.0.0.0/8; 50.0.0.0/8;
94.0.0.0/8; 95.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 
103.0.0.0/8; 104.0.0.0/8; 105.0.0.0/8;
106.0.0.0/8; 107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8; 110.0.0.0/8; 
111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8;
114.0.0.0/8; 115.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 173.0.0.0/8; 
174.0.0.0/8; 175.0.0.0/8;
176.0.0.0/8; 177.0.0.0/8; 178.0.0.0/8; 179.0.0.0/8; 180.0.0.0/8; 
181.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8;
184.0.0.0/8; 185.0.0.0/8; 186.0.0.0/8; 187.0.0.0/8; 192.0.2.0/24; 
197.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3;
};

//Tuto subsiet som musel s ACL "bogon" vyhodit, pretoze ju pouzivam v 
nasej lokalnej sieti
//192.168.0.0/16;


// Sekcia logovanie
logging {
//    channel default_syslog {
//	syslog local7;
//        severity debug;
//        };
     channel audit_log {
	file "/var/log/named.log";
         severity debug;
	print-time yes;
         };
//    category config { default_syslog; };
//    category default { default_syslog; };
//    category general { default_syslog; };
     category client { audit_log; };
//    category network { audit_log; };
//    category queries { audit_log; };
//    category xfer-in { audit_log; };
     category xfer-out { audit_log; };
//    category lame-servers { null; };
};

// Globalne nastavenie
options {
     directory "/etc/namedb";
     dump-file	"/var/dump/named_dump.db";
     pid-file	"/var/run/named/pid";
     statistics-file	"/var/stats/named.stats";
     allow-query { trusted; };
     allow-transfer { xfer; };
     blackhole { bogon; };
     forwarders { 195.168.1.2; 195.168.1.4; 195.168.1.6; };
};

view "internal" {
     match-clients { trusted; };
     recursion yes;
	zone "." {
	    type hint;
	    file "named.root";
	};

	zone "0.0.127.in-addr.arpa" {
	    type master;
	    file "master/localhost.rev";
	    allow-query { any; };
	    allow-transfer { none; };

	};

	// Reverzny zaznam pre zx.intra.acompp.sk //kvoli SSH...
	zone "1.168.192.in-addr.arpa" {
	    type master;
	    file "master/intra.rev";
	};
};

view "external" {
     match-clients { any; };
     recursion no;
	zone "." {
	    type hint;
	    file "named.root";
         };

	// Reverzny zaznam pre zx.acompp.sk
	zone "29.98.195.in-addr.arpa" {
	    type master;
	    file "master/acompp.rev";
	    allow-query { any; };
	};
	zone "acompp.sk" {
	    type master;
	    file "master/acompp.sk";
	    allow-query { any; };
	};
...
...
...
};
************************************************************************
1.
Ak je zadefinovana siet 192.168.1.0/24 v ACL "trusted", tak neprebehne 
transfer zony na masinu v lokalnej sieti a vyhlasi standardnu chybu:

09-Aug-2007 21:25:36.018 client 192.168.1.11#3834: view internal: query: 
acompp.sk IN AXFR +
09-Aug-2007 21:25:36.019 client 192.168.1.11#3834: view internal: bad 
zone transfer request: 'acompp.sk/IN': non-authoritative zone (NOTAUTH)

Chyba mi je jasna, viem co znamena, ale nie je mi jasne, preco sa 
neuplatni view "external"... ...zalezi na poradi, alebo to nedajboze 
funguje stylom, prve vyhovujuce pravidlo a koniec?


2.
Ak subsiet 192.168.1.0/24 vyhodim z ACL "trusted", potom transfer zony 
do lokalnej siete prebehne,

09-Aug-2007 21:45:09.589 client 192.168.1.11#3850: view external: 
transfer of 'acompp.sk/IN': AXFR started
09-Aug-2007 21:45:09.589 client 192.168.1.11#3850: view external: 
transfer of 'acompp.sk/IN': AXFR ended

ale bohuzial vidim len toto:

*********
Resource records for this zone:
   acompp.sk, SOA, zx.acompp.sk, root.zx.acompp.sk
Resource records for this zone:
- No data returned for this query
*********

a nie to, co by som mal vidiet (podrobny vypis o vsetkom) i ked v logu 
nie je ziadna chyba a transfer presiel v poriadku. Toto mi tiez ne je 
jasne, ze preco to vidim ako vidim. Mam totiz este jeden starucky 
server, na ktorom je BIND verzia 8.3.7 a ked z neho prevediem transfer 
zony do lokalnej siete, tak dostanem vo vypise uplne vsetko.

No a co je este dolezitejsie, tak je to, ze potom uz nejdu rekurzivne 
dotazy, lebo sa uplatni view "external" a z lokalnej siete je samozrejme 
problem surfovat...


Neviem, mozno to ide nakonfigurovat uplne jednoducho, ale ja to 
"nevidim". Chcem jednoducho to, aby bolo mozne prevadzat transfer aj do 
lokalnej siete a zaroven to, aby z lokalnej siete sli rekurzivne dotazy.

Dik za nakopnutie.
-- 
LuMaX
Previous message: ftp
Next message: transfer zony do lokalnej siete
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users-l mailing list