blob: 1a402f693307496fab97d72ddcaedb77c6ca7cb8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
.. _mod-queryacl:
``queryacl`` — Limit queries by remote address or target interface
==================================================================
This module provides a simple way to whitelist incoming queries
according to the query's source address or target interface.
It can be used e.g. to create a restricted-access subzone with delegations from the corresponding public zone.
The module may be enabled both globally and per-zone.
.. NOTE::
The module limits only regular queries. Notify, transfer and update are handled by :ref:`ACL<ACL>`.
Example
-------
::
mod-queryacl:
- id: default
address: [192.0.2.73-192.0.2.90, 203.0.113.0/24]
interface: 198.51.100
zone:
- domain: example.com
module: mod-queryacl/default
Module reference
----------------
::
mod-queryacl:
- id: STR
address: ADDR[/INT] | ADDR-ADDR ...
interface: ADDR[/INT] | ADDR-ADDR ...
.. _mod-queryacl_id:
id
..
A module identifier.
.. _mod-queryacl_address:
address
.......
An optional list of allowed ranges and/or subnets for query's source address.
If the query's address does not fall into any
of the configured ranges, NOTAUTH rcode is returned.
*Default:* not set
.. _mod-queryacl_interface:
interface
.........
An optional list of allowed ranges and/or subnets for query's target interface.
If the interface does not fall into any
of the configured ranges, NOTAUTH rcode is returned. Note that every interface
used has to be configured in :ref:`listen<server_listen>`.
.. NOTE::
Don't use values *0.0.0.0* and *::0*. These values are redundant and don't
work as expected.
*Default:* not set
|