allow-query & port 1030 strangeness
Mathias Körber
mathias at koerber.org
Tue Nov 7 09:32:56 UTC 2000
> I'd like to limit the two secondaries to do something like this:
>=20
> allow-query { localhost; 211.99.175.64/27; 211.99.178.38; };
Ahem. This tells your secondaries that only the listed systems may =
direct
queries to your server. Exactly what happens below: queries from other
servers will not be answered (and logged as unapproved). Your =
secondaries
are supposed to serve your zone to the world, right, so you need
allow-query { any; };
I think you want=20
allow-recursion { localhost; 211.99.175.64/27; 211.99.178.38; };
which (along with the allow-query { any; };) will allow anyone
to use your nameserver to resolve your domains, and only the hosts =
listed
in the allow-recursion directive to use it for resoltion of anything =
else.
If you do that on your primary too, you can dispense with the second =
BIND
instance and have it act recursively for locally originating queries.
> Finally, that last line above seems a bit strange...why is=20
> someone binding to port 1030 to query DNS? Is this
> normal for clients to bind to non-dns standard ports?
newer NINDS (BIND-8.something and later) use a random non-privileged
port for sending out queries (they still listen on port 53).
You can change that (if you want) using the query-source directive.
regards
More information about the bind-users
mailing list