17.2.1.1. acl Statement
The acl statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.
An acl statement takes the following form:
acl <acl-name> { <match-element>; [<match-element>; ...] };
In this statement, replace <acl-name> with the name of the access control list and replace <match-element> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or IP network notation (such as 10.0.1.0/24) is used to identify the IP addresses within the acl statement.
The following access control lists are already defined as keywords to simplify configuration:
any — Matches every IP address
localhost — Matches any IP address in use by the local system
localnets — Matches any IP address on any network to which the local system is connected
none — Matches no IP addresses
When used in conjunction with other statements (such as the options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver:
acl black-hats {
10.0.2.0/24; 192.168.0.0/24; };
acl red-hats { 10.0.1.0/24; };
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
}
This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access.