Understanding Bind DNS ACL Directives
An ACL or access control list can be used in DNS to restrict unwanted queries to the DNS server
- In its simplest form, an ACL assigns a name to an address match list.
- Can generally be used in place of a match list (nesting is allowd).
- Best practice is to define ACL's at the top of /etc/named.conf.
Address Match List
A semicolon-seperated list of IP Addresses or subnets used with security directives for host based access control.
Format
- IP Address : 192.168.1.1
- Trailing dot: 192.168.0.
- CIDR: 192.168.1/24 [Classless InterDomain Routing]
- Use a bang (!) to denote inversion / negation.
Example Declaration
The following ACL defines a trusted host:
acl "trusted" { 192.168.1.21; };
The following ACL defines a trusted domain or network
acl "classroom" { 192.168.0.0/24; trusted; };
This ACL defines an untrusted network or domain
acl "cracker" { 192.168.1.0/24; };
This ACL defines the MASTER DNS SERVER
acl "mymasters" { 192.168.1.1; };
Usage as follows:
The above ACL's can be used with the following directives in the /etc/named.conf as:
Option: listen-on port 53 { trusted; };
The option above states that the DNS is setup on "trusted" ACL and you are configuring Bind to listen to IP address of the same system.
Option: allow-query { classroom; !cracker; };
The option above will allow queries from all hosts that are in the "classroom" ACL but not from "cracker" ACL.
Option: allow-transfer { classroom; !cracker; };
The option above will allow zone transfer to Slave DNS servers in the "classroom" ACL but not to"cracker" ACL.
Option: forwarders { classroom; !cracker; };
The option above will forward queries "classroom" ACL but not to"cracker" ACL.
Likewise you can form ACL's and fine tune and restrict you DNS server so as to deny unwanted domains and queries.
Hello, I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts.Regards aws jobs in hyderabad.
ReplyDelete