Configuring ACL (Access Control List)
An ACL in the context of network administration is a set of rules that control network traffic and limit access to networks and network resources based on predefined criteria. In DNS servers like ISC BIND, ACLs are used to define which clients (based on IP addresses or networks) are allowed or denied access to certain DNS services. Common uses of ACLs in DNS include:
Restricting Query Access: Defining which clients are allowed to query the DNS server.
Controlling Zone Transfers: Specifying which secondary servers are allowed to receive zone data from the primary server.
Limiting Dynamic Updates: Controlling which clients can dynamically update DNS records, often used in conjunction with TSIG for secure DDNS.
ACLs allow for the implementation of security policies by controlling who can access the DNS server and what actions they can perform, which is critical for maintaining the integrity and security of the DNS infrastructure.
Managing ACL templates
ACL templates are predefined configurations that simplify the creation of Access Control Lists (ACLs) in various network services, including DNS and DHCP servers. An ACL template allows administrators to define a set of rules or criteria once and then apply them across multiple instances, reducing redundancy and potential for error in configurations.
Usage of ACL Templates
Defining Named ACLs
To create Named ACLs
Go to DNS-> Config-> ACL
Click on ADD ACL button on the right.
You can choose the type of the ACL: ISC Format or Template based ACL.
For the DDI template, just enter the IPv4/IPv6 addresses one by one in the allow and Deny lists.
For the ISC format
Follow the Example below:
Here's an example of an ACL in ISC BIND format:
acl "internal-network" {
192.168.0.0/24; // An internal subnet in CIDR notation
10.15.20.0/22; // Another internal subnet in CIDR notation
localhost; // The keyword for the loopback address (127.0.0.1)
localnets; // A predefined match list for all local networks
! 192.168.0.100; // Exclude a specific IP from the ACL
2001:db8::/32; // An IPv6 subnet in CIDR notation
key "transfer-key"; // A TSIG key for secure transactions
};
New to ADSelfService Plus?
Related Articles
Configuring DHCP failover
Note: ManageEngine DDI does not offer DHCP failover for IPv6 address space. Failover is only available for IPv4 address space. To configure the DHCP failover configurations: Go to DHCP ->Config-> DHCP Failover Click on the Add DHCP Failover button on ...Configuring TSIG keys
TSIG (Transaction Signature) TSIG is a security protocol used in the Domain Name System (DNS) to provide authenticated and secure communications between DNS servers and between DNS servers and clients. TSIG uses shared secret keys and cryptographic ...Managing DNS Views
What are DNS views? DNS views or Domain views serve different responses to DNS queries based on various criteria, most commonly the source of the query or the host accessing it. This indicates that the DNS server can present one set of DNS ...IP Address Management
About IP Address Management IPAM is a comprehensive system designed to plan, track, and manage IP address space within a network for smooth identification and communication. It provides a centralized repository for IP address information, offering ...DHCP scope audit logs
The DHCP scope audit logs page provides you an overview of the actions performed on each scope configured in your network. It help you to continuously evaluate the overall security posture of your scopes using security audit logs to track the who, ...