query question

[Kevin Darcy]

How do you expect to host a domain if you don't let everyone query your
nameserver?

Set a global allow-query, restricted to only your internal clients, and
then override it with "allow-query { any; };" in each of the zones that
you host.

By the way, it's recommended practice to run caches and authoritative
servers on different boxes (or at least different nameserver instances).
These kinds of problems don't crop up when you do that. Something to
consider for the long term...


- Kevin

watson at hiwaay.net wrote:

> I have setup Bind 9.1x for some domains that I am hosting as well as
> for clients on the network. I have specified in options with my
> ipaddy's:
>
> allow-query { 999.999.999/24; }
>
> My clients have no problem getting on the net and the sites I am
> hosting can be pulled up on the net ( I did have one person call and
> say they couldnt pull one up, not sure of their skills though). The
> thing is though is if I look in my logs I am seeing where a ton of
> queries are being denied from a variety of ip addresses, some appear
> to be name servers, some are definetly not. What is the correct way to
> have bind allow my clients to resolve DNS and my hosting sites get
> published on the web. I can't believe that all of these queries that
> are being blocked are just trying to randomly pull DNS service from
> me. Please advise & thank you.