ACL lists

Cricket Liu cricket at
Tue Oct 22 01:00:47 UTC 2002

Derek Caines wrote:
> I'm planning on configuring (via an ACL list) the external DNS servers
> to default to allowing only internal recursion from 3 internal DNS
> servers.
> All other internal resolvers/servers query the above 3 internal
> servers which in turn query the perimiter DNS servers only for
> internet/external lookups.
> Q: When checking the source of the query for allowing/disallowing
> recursion, do the external servers use the IP of the original client
> or that of the server that is passing the query along.
> Or stated differently do I have to include all internal networks on in
> my ACL list or will the IP's of the 3 internal servers passing along
> the request be adequate ?

Just the three internal name servers.  The DNS message that the
external name servers receive doesn't contain the address of the
original querier, so it has no idea who that was.


Men & Mice
DNS Software, Training and Consulting

The DNS and BIND Cookbook, available now!

More information about the bind-users mailing list