Manualshelf

DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
51525354555657585960
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual529432-003
3-12
Use ACLs
To avoid your name server being flooded with inappropriate recursive queries, you can
restrict the name server not to accept recursive queries at all or only to accept
recursive queries from certain clients. (This restriction might be sensible for a second-
level name server which does not appear in the /etc/resolv.conf file of any resolving
clients.) Use the option
allow-recursion to restrict recursive queries.
To restrict your name server from accepting any queries at all, which you might want to
do in a firewalled internal server and external server environment as shown in
Figure 3-6
, except from certain sources, use the option allow-query to restrict all
types of query. (Configure
allow-query in named.conf.)
The HP external servers in the diagram provide a selective view of the HP domain to
the outside world and resolve HP client requests about the outside world.
The external servers might be connected directly to the Internet or behind the firewall.
Traffic could be restricted to DNS (UDP and TCP port 53). The servers could have just
a subset of resource records for the hp.com domain, such as resource records for mail
hubs and selected http servers.
The HP external servers would be delegated by the INTERNIC address (
in-
addr.arpa) and the hp.com domain. This delegation causes queries about hp.com
from outside HP to be sent to the HP external servers.
To configure ACL security, define ACLs in the named.conf file. The ACLs must be
configured before they are used, so ACL statements are typically placed at the top of
named.conf files.
An ACL definition can include multiple address specifications. Instead of using subnet
masks to specify subnet address ranges, an address specification can include a suffix
indicating the number of significant bits. The address specification for blue-net
{15.120.200\21;}; would be equivalent to specifying a subnet address using the
address 15.120.200 and the mask 255.255.248.0.
An exclamation point (!) excludes the address specification that follows it.
Example 3-2. Configuring ACL Security (named.conf)
# Define ACL
acl "name" { [:] addr[\num_mask_bits];... };
acl "dns-servers" {15.19.8.119; 15.19.8.197; 15.19.8.30
acl "blue-net" {15.120.200]21; };
acl "no-badguy" {!18.1.1.66; 18.1.1; };