bind: replace hard-coded allow-query zone setting with a real zone parameter. (#224776)

2023-04-06 21:55:09 -07:00 · 2023-04-06 21:55:09 -07:00 · 3c1c5600e8
commit 3c1c5600e8
parent 8d474038ef
2 changed files with 18 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -385,6 +385,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.

+- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).
+
 ## Detailed migration information {#sec-release-23.05-migration}

 ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire}
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@ -36,6 +36,17 @@ let
        description = lib.mdDoc "Addresses who may request zone transfers.";
        default = [ ];
      };
+      allowQuery = mkOption {
+        type = types.listOf types.str;
+        description = lib.mdDoc ''
+          List of address ranges allowed to query this zone. Instead of the address(es), this may instead
+          contain the single string "any".
+
+          NOTE: This overrides the global-level `allow-query` setting, which is set to the contents
+          of `cachenetworks`.
+        '';
+        default = [ "any" ];
+      };
      extraConfig = mkOption {
        type = types.str;
        description = lib.mdDoc "Extra zone config to be appended at the end of the zone section.";
@ -69,7 +80,7 @@ let
      ${cfg.extraConfig}

      ${ concatMapStrings
-          ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }:
+          ({ name, file, master ? true, slaves ? [], masters ? [], allowQuery ? [], extraConfig ? "" }:
            ''
              zone "${name}" {
                type ${if master then "master" else "slave"};
@ -87,7 +98,7 @@ let
                     };
                   ''
                }
-                allow-query { any; };
+                allow-query { ${concatMapStrings (ip: "${ip}; ") allowQuery}};
                ${extraConfig}
              };
            '')
@ -120,7 +131,9 @@ in
        description = lib.mdDoc ''
          What networks are allowed to use us as a resolver.  Note
          that this is for recursive queries -- all networks are
-          allowed to query zones configured with the `zones` option.
+          allowed to query zones configured with the `zones` option
+          by default (although this may be overridden within each
+          zone's configuration, via the `allowQuery` option).
          It is recommended that you limit cacheNetworks to avoid your
          server being used for DNS amplification attacks.
        '';