allow-recursion for internal hosts resolves cached queries for externals.

oliver bril oliver_bril at hotmail.com
Thu Oct 16 09:48:53 UTC 2003


Barry Margolin <barry.margolin at level3.com> wrote in message news:<bmk47e$1ck3$1 at sf1.isc.org>...
> In article <bmk0a9$15uk$1 at sf1.isc.org>,
> oliver bril <oliver_bril at hotmail.com> wrote:
> >Here is the problem: 
> >
> >When an "internal" host resolves for instance hotmail.com this is
> >cached by bind. When i resolve hotmail.com on an external host (not
> >defined in the acl) it also resolves hotmail (think because it's in
> >it's cache.)
> >
> >when i flush my cache and do the query from an external host to
> >hotmail again it just sais you should go to the root servers (which is
> >good)
> >
> >Isn't this a bug because as far i understand the function shouldn't
> >allow external hosts to resolve hotmail.com?(not even when it's is in
> >the dns servers cache)
> 
> No, it doesn't allow them to initiate a recursive query.  If the answer is
> already in the cache, no recursive query is being done.
> 
> You can accomplish what you want by using allow-query instead of
> allow-recursion:
> 
> options {
>   ...
>   allow-query { internal; };
> };
> 
> zone "firstdomain" {
>   ...
>   allow-query { any; };
> };
> zone "seconddomain" {
>   ...
>   allow-query { any; };
> };
Thanx for the responce,

I tried that one but then the bind server is giving some strange
responces (at least i think it does) When you use the allow-query
statement as describe above a request to for instance hotmail.com
results in giving back a list of root servers. No problem. But when
you have an hosted domain (firstdomain.com)
and you ask the dns server to resolve testerdietest.firstdomain.com
(which is not in the zonefile) the responce is also a list of root
servers. I think the dns server should not return a list of root
servers but somethink like "unknown domainname/hostname" because if
you are primairy for this domain you should give the correct answers.
(i mean the same error code when you don't allow-query)

The only solution (as far i could see) is to make a rule with
*.firstdomain.com because then the server will always repond with a
correct answer. Somehow i don't think this is the best solution
because you then it's to easy sent spam. (i hate * routings)

I don't know if i'm correct with the statements i write down it is
just how i think things should work.

regards,

Oliver


More information about the bind-users mailing list