Sunday, November 9, 2014

Bind 9 - allow-query-on versus listen-on



I was just wondering about differences in behavior between Bind 9's allow-query-on and listen-on statements. They appear to perform similar functions. According to Chapter 6 of the ARM ("Bind 9 Configuration"):




The interfaces and ports that the server will answer queries from may
be specified using the listen-on option.





The syntax given is:




listen-on [ port ip_port ] [ dscp ip_dscp ] { address_match_list } ;




Also in the same chapter:




allow-query-on: Specifies which local addresses can accept ordinary

DNS questions.




The syntax given is:




allow-query-on { address_match_list } ;




From the syntax, it looks like allow-query-on does not allow port numbers to be specified. Are there other differences too?



Answer



They're not really similar functions. The listen-on statement is required for named to bind on a specific IP address and port. Without setting it, the default is to listen for DNS queries on port 53 of all interfaces on your server. If you have a server with multiple interfaces and you only want to provide DNS services on one of them, use listen-on to only listen on the one interface. Trying to do it the other way with allow-query-on only will leave BIND still listening on all interfaces. The best way is to use both, i.e. bind to only the interface(s) you need and then further restrict the type of queries you permit.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...