DNS & Mail Interaction

Kevin Darcy kcd at daimlerchrysler.com
Wed Apr 11 21:34:32 UTC 2001 

Are you using the same nameserver instance to serve your domains to the public,
as well as to resolve Internet names for your internal clients? If so, then
setting a single global allow-query amounted to shooting yourself in the foot,
to be perfectly honest. It doesn't just matter whether the *receiving* mail
servers could resolve names from your nameserver, it also matters whether the
*sending* mail servers could resolve the MX records in your domains. And the
sending mail servers could, of course, be *anywhere*.

Set a global allow-query to restrict query access to your internal clients, and
then per-zone "allow-query { any; };" clauses to allow outside clients to
resolve your domains.

Or even better, serve the public from a different nameserver instance than your
own clients. Then you can turn off recursion completely on the
"public" instance and no-one external will ever be able to use your nameserver
for resolving names outside of your own domains.


- Kevin

Joe Blow wrote:

> Hello everyone,
>
> I have multiple (about 25) domains resolving to my dns server (8.2.3,
> getting ready to update to 9.1.1).
>
> I'm somewhat new at this (obviously!), and while reading DNS & BIND, I found
> the allow-query statement and thought I would implement it. We have 4 class
> c ranges assigned to us, and I allowed all 4 of them. This was last night. I
> tested it with nslookup from another domain and was denied queires if I set
> server=myserver / www.yahoo.com. Great!
>
> Today, I came in and noticed my log files were FULL of outside domains
> resolving off my server. I thought "cool - it worked!".
>
> However, I received some calls that some of my domains couldn't receive
> email all night (during the time the filter was in place). I can't say if
> all the domains were affected as I commented the allow-query statement as
> soon as I heard there was trouble. These users on these extra domains are
> not terribly active. Also, these domains are resolving to my IP's listed in
> the allow-query statement.
>
> Does anyone have any idea's on how to troubleshoot this? I don't understand
> the relationship between mail not being able to make a query (my sendmail
> machine is sitting on one of the networks that were in my allow-query
> entry. As a matter of fact, my primary DNS server is also my sendmail
> server). Or perhaps another mail machine makes the query? Or perhaps my
> implementation of the allow-query is wrong all together.
>
> I'm running solaris 8 (if that makes any difference).
>
> Thanks for any help or insights on how this should really be implemented and
> how it affects mail

More information about the bind-users mailing list