Forum Discussion
Sadhna_80746
Nimbostratus
NimbostratusCreating a view in F5 GUI and creating zones under it
Hi,
When I create my own view manually in the GUI and create a zone (zone type:MASTER) under it, gets created successfully. No error.
Then when I click on the zone name that I created above, I get the following error:
General error:01150b21:3: RCODE returned from query:'REFUSED'.
When I create a zone under the existing view "external" and after creating successfully click on the zone name, I am not getting any error.
Please advise.
Thanks
chamindak_11539No still not blocking resolution to what's in the match-clients... yep did do a restart, "bigstart restart named".
.match-clients { . 172.16.201.240/32; . 127.10.0.0/24; . "zrd-acl-000-001"; . "zrd-acl-000-002"; .};
Wonder if it has anything to do with the error thrown out by F5 GUI: "01150b21:3: RCODE returned from query: 'NOTAUTH'. "
could you please post a sanitized copy of your named.conf thanks!
- chamindak_11539
Hey mate,Thanks for helping out config below: as you will see below I'm trying to limit "Internal" view access to certain IPs.
restrict rndc access to local machines use the key in the default place: /config/rndc.key controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; logging { channel logfile { syslog daemon; severity error; print-category yes; print-severity yes; print-time yes; }; category default { logfile; }; category config { logfile; }; category notify { logfile; }; }; options { listen-on port 53 { 127.0.0.1; "zrd-acl-000-000"; "zrd-acl-000-002"; }; listen-on-v6 port 53 { ::1; }; recursion no; directory "/config/namedb"; allow-transfer { localhost; }; check-names master warn; check-integrity yes; max-journal-size 1M; version "none"; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "zrd-acl-000-001" { 127.10.0.1; }; acl "zrd-acl-000-002" { 127.10.0.2; }; view "external" { match-clients { "zrd-acl-000-000"; any; }; zone "com.au." { type master; file "db.external.com.au."; allow-update { localhost; }; }; zone "ck.com." { type master; file "db.external.ck.com."; allow-update { localhost; }; }; zone "ck.org." { type master; file "db.external.ck.org."; allow-update { localhost; }; }; zone "100.100.100.in-addr.arpa." { type master; file "db.external.100.100.100.in-addr.arpa."; allow-update { localhost; }; }; zone "200.16.172.in-addr.arpa." { type master; file "db.external.200.16.172.in-addr.arpa."; allow-update { localhost; }; }; }; view "Internal" { match-clients { 172.16.201.240/32; "zrd-acl-000-001"; "zrd-acl-000-002"; }; zone "ck.internal." { type master; file "db.Internal.ck.internal."; allow-update { localhost; }; }; }; No problem. Glad to help!
I think I see your problem. Get rid of the "any" in the statement below:
view "external" { match-clients { "zrd-acl-000-000"; any;
make sure to restart zrd and named after the change.
- chamindak_11539
hmm no luck, it is still allowing access from outside to the internal zone:
match-clients { "zrd-acl-000-000"; 172.16.200.0/24; };
Actually even with below in the external view, it is still allowing:
match-clients { "zrd-acl-000-000"; };
- John_Heyer_1508
Cirrostratus
Having similar problems. I want to create a view called "internal" that only allows queries from 10.0.0.0/8; Even after checking the named.conf, views, and rebooting the GTM, still doesn't work. Really smells like a bug.
- chamindak_11539
Well, we gave up with "views". We ended up using iRules to block queries for internal zones from the internet...
- John_Heyer_1508
I found a partial solution - change the view order. In 11.5, go to DNS -> Zones -> Zone Runner -> View List and modify the view view order to "First". The view will then magically work as expected, however, this pushes the other views back and will partially break them.
I highly doubt this is expected behavior, since view ordering should only be cosmetic. But I'll be opening a case with F5 support to get more clarification.
