0

I'm running Bind on OpenWrt 15.05.1 as DNS server. I wanted to set up multiple view, with different zones.

acl "trusted" {
        10.0.1.0/24;
        localhost;
        localnets;
};

acl "blacklisted" {
        10.0.1.10;
};

options {
        directory "/tmp";
        recursion yes;
        allow-recursion { trusted; };
        allow-transfer { none; };
        dnssec-validation auto;
        forwarders {
                8.8.8.8;
        };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

view "blacklist" {
        match-clients { blacklisted; };
        zone "example.com" { type master; file "/etc/bind/zones/db.example"; };
};

view "normal" {
        match-clients { any; };
        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };
};

And it works well, but only if the IP address in "blacklisted" acl has a subnet at its end (like that: 10.0.1.10/28). But I'm trying to target only one IP, which is not working for some reason.

Thanks for replies.

  • Can you be more specific about how it doesn't work? Also, what address is `10.0.1.10` in this context? Based on how you use it with `match-destinations` I gather it must be one of the addresses of the nameserver? – Håkan Lindqvist Jan 24 '17 at 22:03
  • I don't know of openwrt binds all interfaces, you might want to make sure you're only recursive internally – Jacob Evans Jan 24 '17 at 22:11
  • you can also use match-client in the zone config – Jacob Evans Jan 24 '17 at 22:12
  • @PepinCZ Please confirm what the actual intention of using `match-destinations` was. If the solution is to change the client address matching it seems that maybe you meant to use `match-clients` all along? (Which may make for a more straightforward solution) – Håkan Lindqvist Jan 24 '17 at 22:20
  • @HåkanLindqvist in this scenario `match-clients` was ment to be there. I just wrote it as an example (because the question was about Bing ignoring the "blacklist" view). –  Jan 24 '17 at 22:24
  • But if `10.0.1.10` is not one of the addresses of the nameserver, it's an example where that view is supposed to never match, right? However, if you then pick a sufficiently short prefix, such that the address of the nameserver is included, it would start to match. That's my best guess at what the actual problem was. – Håkan Lindqvist Jan 24 '17 at 22:28
  • @HåkanLindqvist actually no, I tried it with `match-clients` and many other options, so that problem wasn't there. I also edited the original question to use `match-clients` to avoid confusion. –  Jan 24 '17 at 22:32
  • Assuming the views are actually in this order in your config file, I would say the updated configuration in the question will work. – Håkan Lindqvist Jan 24 '17 at 22:37
  • @HåkanLindqvist well I thought too, but apparently not. I'm not very experienced Bind user, but I've been reading manuals and stuff and just couldn't find why It doesn't work. I would never thought I need to restrict "blacklisted" from the "normal" view. –  Jan 24 '17 at 22:41

3 Answers3

0

UPDATE:

You can specify single IP addrs.

IE 

acl "someips" {
  10.0.0.1; 192.168.23.1; 192.168.23.15;
};

See this

Dylan Martin
  • 548
  • 4
  • 14
  • I actually tried that, but it has the same effect as without /32. It just doesn't work. –  Jan 24 '17 at 21:55
0

update { any; } sections with

{ !blacklisted; any; } in your normal view

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • This is not what I want. I just want to serve different zone files to "blacklisted". And /32 subnet doesn't work neither. But /28, for example, work perfectly how I want. –  Jan 24 '17 at 21:57
  • list the zone in both views if you need it in both views, clients only go into one view – Jacob Evans Jan 24 '17 at 21:58
  • that isn't the problem. If I use /28 subnet (10.0.1.10/28), it works as expected. But when I just enter the IP or /32, the "blacklist" view just gets ignored for some reason. –  Jan 24 '17 at 22:00
  • updated, sorry wrong bracket section – Jacob Evans Jan 24 '17 at 22:02
  • if you want blacklist to get hints, include that in your blacklist view – Jacob Evans Jan 24 '17 at 22:03
  • 1
    Amazing! Thanks! Now it works exactly as I wanted! Thank you so much. But I'm still curious why it requires that thought... –  Jan 24 '17 at 22:06
  • views match once, if you don't deny your any matches will cause strange issues – Jacob Evans Jan 24 '17 at 22:07
  • I don't get how this can help if it was indeed intentional to use `match-destinations` in the other view. The proposed changes relate to source address, not destination address? The prefix length is optional. – Håkan Lindqvist Jan 24 '17 at 22:11
  • correct he doesn't need cdir – Jacob Evans Jan 24 '17 at 22:14
-1

for single ip in ACL, you can add /32 e.g 10.0.1.10/32

kingking
  • 1