Stealth Slave used in forwarders list.. workable or not ??

Kevin Darcy kcd at
Wed Oct 23 21:47:27 UTC 2002

Cricket Liu wrote:

> Kevin Darcy wrote:
> > Cricket Liu wrote:
> >
> >> Theo C wrote:
> >>> I'm setting up our external DNS servers not to allow recursion..
> >>> (either from internal or external machines.) I'm also setting up
> >>> Stealth Secondaries that will allow recursion from internal
> >>> machines. Our internal servers will be authoritative for internal
> >>> domains and forward all Internet queries to the external stealth
> >>> secondaries.
> >>>
> >>> Q:Will this work? (I know that a stealth secondary usually only
> >>> serves resolvers, but does it differentiate between a resolver
> >>> request and a Name server request?
> >>
> >> No, it has no way of doing that.  They just look like recursive
> >> queries.
> >
> > Well, one could enumerate all of the internal servers in an
> > allow-recursion statement, but that's not very maintainable...
> Actually, the question I was answering was, "Can a name server
> tell whether a query comes from a resolver or a name server?"

I was addressing the more general "Will it work?" part. Answer: it _can_
work, just not with any kind of magical client-vs-server differentiation
of queries, and with the caveat that address-based ACLs are notoriously

Perhaps I should have also mentioned that recursion can now be limited
by TSIG key, so as long the internal servers are all configured to sign
their forwarded queries with the same TSIG key, one wouldn't have to
maintain address-based ACLs. This would have the potential to be more
secure as well, assuming -- as always -- that the key is locked up

- Kevin

More information about the bind-users mailing list