bind rasising security

Kevin Darcy kcd at daimlerchrysler.com
Thu Jun 14 20:06:45 UTC 2001


alexus wrote:

> is it possible somehow to setup in your named.conf
>
> to use allow-query to limit querys only from local are network (192.168.0.x)
> and use allow-recursion, to allow "others" to query only domains that i
> serve? can i put all those into one named.conf?

You can use allow-query or allow-recursion, or some combination of the two. Use
allow-query when you want the prohibited clients to get a REFUSED response. Use
allow-recursion when you want to prevent your nameserver doing extra work for
unauthorized clients. Note that if you have an answer cached, you'll serve that
answer to a client even if you're not honoring recursion to that client. So
even if you turn off recursion to external clients, you may find that they are
still pointing to you as their nameserver. Apparently, some people only access
yahoo.com and/or msn.com. Sigh.

The best thing, of course, is to completely separate recursive and
non-recursive service. That way, there's no incentive for any stub resolvers to
point to your (non-recursive) nameserver because the only answers available
from it are for names in your zones. The recursive server, on the other hand,
would only answer queries from internal clients; in fact, you could even put it
on a private address so there's very little possibility -- I won't say
*zero* possibility, since sometimes network admins screw up their routes --
that it could ever be used by an external client.


- Kevin




More information about the bind-users mailing list