CNAMEs pointing to outside domains

Kevin Darcy kcd at
Tue Jun 18 01:14:26 UTC 2002

Vincent Aniello wrote:

> I am running Bind 9.2.1 and attempting to limit the hosts that can query my
> DNS server with the allow-query and allow-recursion options in named.conf.
> When I restrict these options to a list of trusted networks, from a host
> outside the list of trusted networks I am unable to lookup CNAMEs that refer
> to hosts that are part of domains not local to my DNS server.
> For example, for the record:
>    IN    CNAME
> Lookups on fail with a 'Query denied' error when queried
> via nslookup from a host outside of the list of trusted networks for my DNS
> server.
> When I set allow-query to 'any' and restrict recursion to a list of trusted
> networks with the allow-recursion option a nslookup of
> from a host outside the list of trusted networks returns the list of root
> DNS servers.
> Is it possible to configure Bind 9.2.1 to allow queries CNAMEs that refer to
> non-local domains and still restrict queries and recursive queries for other
> domains and records?

I'm not aware of any such configuration option.

But, why is it necessary? Your nameserver has done the job of translating the
alias into a canonical name; any fully-functional resolver should then be able
to translate that canonical name into an A record or whatever. Somewhat
inefficient, yes, but it should still work. Isn't it?

- Kevin

More information about the bind-users mailing list