Ticket #166 (new enhancement)

Opened 3 years ago

Last modified 9 months ago

BIND backend support for 'allow-query' ACL to restrict zone lookups by source IP

Reported by: anon Owned by: somebody
Priority: normal Milestone:
Component: component1 Version:
Severity: normal Keywords:
Cc:

Description

Attached patch will enable support in the BIND backend to read a list of subnets in an 'allow-query' directive in a zone definition in the named.conf, and not perform a lookup on that zone if the source of the query is not found in the listed subnets. Similar in concept and function to 'allow-recursion' directive in pdns.conf, and largely based on it.

Attachments

bind_restrict_query.patch Download (4.6 KB) - added by anon 2 years ago.
allow-query.patch Download (6.7 KB) - added by anon 9 months ago.

Change History

Changed 2 years ago by anon

Changed 2 years ago by anon

I've updated (replaced) the patch to correct some shortcomings, specifically, it now:

  • Issues SERVFAIL rather than NXDOMAIN
    • Which also prevents denied lookups from being cached
  • Does not check the connecting IP when there isn't one, i.e. for internal lookups
    • This caused a signal 11, e.g., when preparing to do zone notifications
  • Logs the connecting IP

Changed 21 months ago by anon

I just want to add a vote for this functionality...I really need it. The patch still applies and works with 2.9.21. The only thing missing is the ability to use acls with allow-query, and I haven't had a chance to look into the code for adding that myself yet.

Changed 9 months ago by anon

Changed 9 months ago by anon

my patch is use the checkacl functions from [1360]

Note: See TracTickets for help on using tickets.