Restrict authoritative queries to internal networks #227
Reference in New Issue
Block a user
Delete Branch "benvin/auth-allow-query"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Mirrors the puppet authoritative
master-zonesview (match-clientsacl-main.unkin.net, recursion no) — restricting who can query bind-authoritative.Changes
auth-acl-mainBindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29)allow-query { auth-acl-main; 10.42.0.0/16; }on bind-authoritative via extraOptionsNotes
allow-queryrather than a BindView: dynamic primary zones inside a view would need per-viewallow-new-zones(an operator gap). Functionally equivalent for the single master-zones view.10.42.0.0/16(pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks.Caveat
The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict external clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted.
Mirrors the puppet authoritative master-zones view (match-clients acl-main.unkin.net) using a global allow-query instead of a view, since dynamic primary zones in a view would need per-view allow-new-zones. - add auth-acl-main BindACL (the puppet acl-main.unkin.net networks) - allow-query { auth-acl-main; 10.42.0.0/16; } on bind-authoritative (pod net included so secondaries can SOA-refresh from the primary)