Restricting Queries

Mathias Körber mathias at koerber.org
Wed Dec 6 05:32:51 UTC 2000


> Hi Folks,
>=20
> Perhaps this is a silly question.
>=20
> I've got a nameserver which I've locked up pretty tightly.
> It allows recurive queries to only a few other servers on
> the LAN, but currently answers queries to all.  (albeit only
> pointing them to root and forcing them to use other
> nameservers to do the work)
>=20
> Now if I do the following
> allow-query { LAN;};
>=20
> Suddenly the rest of the world can't look up names that my
> nameserver is authoritative for...that's bad.
>=20
> But I'd like to do something which really limits the ability
> for other clients to use my nameserver....ie they can query
> my nameserver directly, but only if its for one of the zones
> that nameserver is authroritative for, otherwise they don't
> get any response.

	allow-query { any; };
	allow-recursion { LAN; };

You need a fairly recent BIND for this (8.2.2p7)

>=20
> Am I being silly?  ie. will I really save that much from not
> pointing them off to root like I do now?  Even if this
> weren't possible, would there be aby reason why I wouldn't
> want to do this.

No, this *is* reasonable. Better yet would be a saparate nameserver
for recursive queries by your LAN, but that usualy is a question
of $$$ and thus not for everyone.

regards




More information about the bind-users mailing list