There is BIND 9.11.5-P4-5.1+deb10u2-Debian (Extended Support Version) <id:998753c> for the local network, it works as a caching server and holds several domain zones.
Recursive requests are allowed only from the internal network, from the external network the server must respond only to zones that are known to it.
The problem is that the server does not respond to reverse zones from the external network, while direct zones work properly from any network.
# cat /var/log/named.log
...
Jul 13 08:41:08 named[14909]: client @0x7f968c0d64e0 89.209.65.11#49410 (220.X.X.109.in-addr.arpa): query (cache) '220.X.X.109.in-addr.arpa/PTR/IN' denied
...
Configuration
# cat /etc/bind/named.conf.options
options {
notify yes;
directory "/var/cache/bind";
allow-query { any; };
allow-recursion { LAN; };
allow-query-cache { LAN; };
allow-transfer { 172.19.0.2; };
dnssec-validation yes;
listen-on { 172.19.0.1; 109.X.X.X; };
listen-on-v6 { none; };
version "unknown";
};
# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
acl "LAN" {
INTERNAL_NETWORK;
localhost;
localnets;
};
zone "fibernet.X.X" {
type master;
file "/etc/bind/fibernet.X.X.zone";
};
zone "216/29.X.X.109.in-addr.arpa" {
type master;
file "/etc/bind/216_29.X.X.109.in-addr.arpa";
};
zone "128/26.X.X.188.in-addr.arpa" {
type master;
file "/etc/bind/128_26.X.X.188.in-addr.arpa";
};
:~# cat /etc/bind/216_29.X.X.109.in-addr.arpa
$ORIGIN 216/29.X.X.109.in-addr.arpa.
$TTL 21600
@ IN SOA ns1.fibernet.X.X. max.fibernet.X.X. (
2023071001
6H
2H
2W
1D)
@ NS ns1.fibernet.X.X.
@ NS ns2.fibernet.X.X.
220 PTR mail.fibernet.X.X.
218 PTR fibernet.X.X.
219 PTR bras1.fibernet.X.X.
If I add in named.conf.options file
allow-query { any; };
allow-query-cache { any; };
allow-recursion { any; };
Reverse zones are starting to work, but I don't need recursive requests from the external network.
How to correctly configure bind9 for my task?
