Bind9 Address Match List
From: https://www.zytrax.com/books/dns/ch7/address_match_list.html
BIND Definition of Address List Match
This section defines the term address_match_list used with many named.conf
statements. Full list of statements. The full syntax allows many variations:
address_match_list = element ; [ element; ... ]
An address_match_list is comprised of one or more elements each of which has the
following syntax:
element = [!] (ip [/prefix] | key key-name | "acl_name" | { address_match_list } )
The elements which make up an address match list can be:
- Optional negation ("!") of an element;
- An IP address (IPv4 or IPv6);
- An IP prefix (using the slash (/) notation), for example, 10.0/16 or
192.168.2/24; (More info on IP Prefix (/) notation.)
- A key-name, as it appears in a key clause;
- The name of an address_match_list previously defined with an ACL clause;
- A nested address match list enclosed in braces;
- One of four predefined names described below.
The four predefined address_match_list names are:
- "none" - matches no host IP addresses
- "any" - matches all host IP addresses
- "localhost" - matches all the IP address(es) of the server on which BIND is
running but only when accessed from the same host (internal). For example, if
the server has a single interface with an IP address of 192.168.2.3 then
localhost will match 192.168.2.3 and 127.0.0.1 (the loopback address is always
present) when issued from the same host, but if any external request arrives on
192.168.2.3 it will not match.
- "localnets" - matches all the IP address(es) and subnetmasks of the server
on which BIND is running. For example, if the server has a single interface with
an IP address of 192.168.2.3 and a netmask of 255.255.255.0 (or 192.168.2.2/24)
then localnets will match 192.168.2.0 to 192.168.2.255 and 127.0.0.1 (the
loopback is always present and has a single address, that is a netmask of
255.255.255.255). Some systems do not provide a way to determine the prefix
lengths of local IPv6 addresses. In such a case, localnets only matches the
local IP addresses, just like localhost though in this case it will apply to
external and internal (same host) requests.
When a given IP address is compared to an address_match_list, the list is
traversed in order until an element matches at which point processing stops. The
action taken will depend on the context of the statement to which it is being
applied as shown in the following example:
options {
allow-transfer { !192.168.2.7;192.168.2/24;};
};
If the IP address 192.168.2.47 requests a transfer it does not match the first
element but matches the second element and the transfer is permitted, if,
however, IP 192.168.2.7 requests a transfer it matches the first element which
is negated meaning the transfer is denied. Because a match stops processing the
match order is significant. If the above were rewritten to reverse the order
then 192.168.2.7 would always be permitted to transfer because the first item
always matches as shown below:
options {
// incorrect version - permits 192.168.2.7
allow-transfer {192.168.2.3/24; !192.168.2.7;};
};
The general rule may be expressed as "a non-negated match permits the operation
and a negated match denies the operation, if there is no match the operation is
denied". The following example shows the use of an ACL clause to standardize an
address_match_list, by simply changing the contents of the ACL these changes are
propagated to all users of the acl clause:
acl "good-guys"
{
!192.168.2.5/28; // denies first 16 IPs
192.168.2/24; // allows rest of subnet
localnets; // allows our local network
2001:db8:0:1::/64; // allows this subnet only
};
options
{
allow-transfer {"good-guys";};
};
Note: Address_match_lits is order significant. Had the first two elements been
inverted the whole of 192.168.2 would have been allowed.
The key-name parameter allows the address_match_list to reference a key clause -
the match in this case will occur if the keys match.
Nesting is allowed but is only used with the topology (not currently
implemented) and the sortlist statement and the address_match_list behavior is
slightly changed. Nesting use is described in the context of the sortlist
statement.