From 3c1c5600e895409df2e19a142aa4d72717a912f7 Mon Sep 17 00:00:00 2001 From: mrobbetts Date: Thu, 6 Apr 2023 21:55:09 -0700 Subject: bind: replace hard-coded `allow-query` zone setting with a real zone parameter. (#224776) --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 ++ nixos/modules/services/networking/bind.nix | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 4f119d964ed3b..ebf504430bdfc 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -385,6 +385,8 @@ In addition to numerous new and upgraded packages, this release has the followin - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. +- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility). + ## Detailed migration information {#sec-release-23.05-migration} ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index f963e341546c7..f1829747bb1e0 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -36,6 +36,17 @@ let description = lib.mdDoc "Addresses who may request zone transfers."; default = [ ]; }; + allowQuery = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of address ranges allowed to query this zone. Instead of the address(es), this may instead + contain the single string "any". + + NOTE: This overrides the global-level `allow-query` setting, which is set to the contents + of `cachenetworks`. + ''; + default = [ "any" ]; + }; extraConfig = mkOption { type = types.str; description = lib.mdDoc "Extra zone config to be appended at the end of the zone section."; @@ -69,7 +80,7 @@ let ${cfg.extraConfig} ${ concatMapStrings - ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }: + ({ name, file, master ? true, slaves ? [], masters ? [], allowQuery ? [], extraConfig ? "" }: '' zone "${name}" { type ${if master then "master" else "slave"}; @@ -87,7 +98,7 @@ let }; '' } - allow-query { any; }; + allow-query { ${concatMapStrings (ip: "${ip}; ") allowQuery}}; ${extraConfig} }; '') @@ -120,7 +131,9 @@ in description = lib.mdDoc '' What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are - allowed to query zones configured with the `zones` option. + allowed to query zones configured with the `zones` option + by default (although this may be overridden within each + zone's configuration, via the `allowQuery` option). It is recommended that you limit cacheNetworks to avoid your server being used for DNS amplification attacks. ''; -- cgit 1.4.1