Bind VIEWS -> access denied?

  • Hi all!

    I installed the bind package in my pfSense 2.x (up-to-date).

    I can use the pfSense now as resolver as shown:

    root@srv:/# dig @pfsense
    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pfsense
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65496
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
    ;                 IN      A
    ;; ANSWER SECTION:          195     IN      A
    ;; AUTHORITY SECTION:              84734   IN      NS              84734   IN      NS              84734   IN      NS              84734   IN      NS
    ;; ADDITIONAL SECTION:         171073  IN      A         171073  IN      A         171073  IN      A         171073  IN      A
    ;; Query time: 2 msec
    ;; SERVER:
    ;; WHEN: Sun Oct 18 20:56:44 2015
    ;; MSG SIZE  rcvd: 193

    All seems to be fine. Now I added a zone as a slave zone. Let's call it "". The master server is configured and allows zone transfers.
    See (reverse) log file, so far it is great:

    Oct 18 20:27:32 	named[61931]: running
    Oct 18 20:27:32 	named[61931]: all zones loaded
    Oct 18 20:27:32 	named[61931]: zone loaded serial 176

    I let the ACL settings on the default values so I have any, none, localhost and localnet.
    Then I added a VIEW called "LOCAL" and used for "match-clients" the default ACL "any".

    Now I created a new ZONE (as slave zone), configured the master server properly and assigned the VIEW "LOCAL" to it.

    I still can query the named with any hostnames- but it gives me no result for my "". The log file states "access denied":

    Oct 18 21:02:28 	named[41114]: client ( view LOCAL: query '' denied

    Anyone having a clue what I did wrong here?



  • Hi!

    Solved it on my own!

    I had to set the "allow-query" to localhost and localnets. Even though this setting seems to be irrelevant as it is under the "Master Zone Configuration" part….

    Now it is working fine!


Log in to reply