In a bind with BIND9

[Solignis]

I having a problem with OpenVPN when I try to query my BIND9 server(s).

I have an option in my BIND config that restricts querying ability to what is defined in the ACL lists in the config file.

The problem I am having is OpenVPN has an ACL entry but it is not allowing it though with the IP information I have given it.

The ACL is for 172.16.0.0/24 which is my OpenVPN subnet. But it appears my computer when talking back to the network after the vpn is established is using a /30 subnet mask which throws off my acl. I tried making an acl with the same address but a /30 and it did no good.

Anyone got any idea of how I can work around this?

[jcoehoorn]

I know it's hackish, but what about two acl entries?

[mrunkel]

Huh? How does the BIND server know what subnet mask the computer is using? That information isn't transmitted.

Maybe I'm misunderstanding.

[sky-knight]

Mask is used to indicate a range in this case.

[mrunkel]

Mask is used to indicate a range in this case.

Clearly, but that doesn't explain anything about why the client net mask matters.

[sky-knight]

That would be because Solignis doesn't understand why the mask works as a range. He's got an OpenVPN connection, which uses a /30 mask on the client, but doesn't apparently understand that the entire range is still represented by the /24 range he originally put in.

In short, what he's describing doesn't matter and he's having a different issue entirely.

The only reason I know this, is I've worked with him before so I've come to be able to decipher his brand of confusion. Which is rather scary to be honest.