diff options
| author | mrobbetts <mrobbetts@gmail.com> | 2023-04-06 21:55:09 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-07 06:55:09 +0200 |
| commit | 3c1c5600e895409df2e19a142aa4d72717a912f7 (patch) | |
| tree | 830e27c7ab4cc52817cd851d6c032a92828c3177 /nixos | |
| parent | 8d474038efd0085703316411c89309b1920172f1 (diff) | |
bind: replace hard-coded `allow-query` zone setting with a real zone parameter. (#224776)
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/bind.nix | 19 |
2 files changed, 18 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 4f119d964ed3b..ebf504430bdfc 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -385,6 +385,8 @@ In addition to numerous new and upgraded packages, this release has the followin - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. +- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility). + ## Detailed migration information {#sec-release-23.05-migration} ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index f963e341546c7..f1829747bb1e0 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -36,6 +36,17 @@ let description = lib.mdDoc "Addresses who may request zone transfers."; default = [ ]; }; + allowQuery = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of address ranges allowed to query this zone. Instead of the address(es), this may instead + contain the single string "any". + + NOTE: This overrides the global-level `allow-query` setting, which is set to the contents + of `cachenetworks`. + ''; + default = [ "any" ]; + }; extraConfig = mkOption { type = types.str; description = lib.mdDoc "Extra zone config to be appended at the end of the zone section."; @@ -69,7 +80,7 @@ let ${cfg.extraConfig} ${ concatMapStrings - ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }: + ({ name, file, master ? true, slaves ? [], masters ? [], allowQuery ? [], extraConfig ? "" }: '' zone "${name}" { type ${if master then "master" else "slave"}; @@ -87,7 +98,7 @@ let }; '' } - allow-query { any; }; + allow-query { ${concatMapStrings (ip: "${ip}; ") allowQuery}}; ${extraConfig} }; '') @@ -120,7 +131,9 @@ in description = lib.mdDoc '' What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are - allowed to query zones configured with the `zones` option. + allowed to query zones configured with the `zones` option + by default (although this may be overridden within each + zone's configuration, via the `allowQuery` option). It is recommended that you limit cacheNetworks to avoid your server being used for DNS amplification attacks. ''; |