DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)
DNS Configuration on the NonStop Server
HP DNS Configuration and Management Manual—529432-003
3-13
Use ACLs
You can use four predefined ACLs alone or with address specifications:
When an ACL definition contains multiple elements, the elements are evaluated from
left to right.
The ACL "no-badguy" allows all addresses on the 18.1.1 network except 18.1.1.66.
When specified with the
allow-query option, the server accepts all query requests
from nodes on the 18.1.1.1 network except 18.1.1.66.
Allow Directives
Once you have defined the ACLs, you can use them in allow directives within zone
statements. You can also specify the
allow-query and allow-transfer directives
in an options statement. An options statement defines global behavior for a server, so
any
allow directives in an options statement apply to all the server's domains.
Other Configuration Options
ACLs have uses other than controlling access. You can think of ACLs as shortcuts to
specifying an extended list or range of IP addresses for use in all sorts of different
circumstances. You can use an ACL whenever the parameter
address_match_list
appears in the named.conf configuration file syntax. Examples of this usage include
the
sortlist and the listen-on option sub-statements.
any allows all hosts
none denies all hosts
localhost allows the IP addresses of all interfaces on the system
localnets allows any host on a network for which the system has an
interface
Caution. If the ACL "no-badguy" had instead been specified as:
acl "no-badguy" { 18.1.1.; !18.1.1.66; };
The ACL would allow all addresses on the 18.1.1 network, including 18.1.1.66, since 18.1.1.66
would first be checked against the 18.1.1 specification and match.
Note. The default for allow-updates is none. (The DNS server does not accept any
dynamic update messages.) The allow-updates statement is typically used to enable
dynamic updates.