denying external cache lookups
Allen Wooden
allen.wooden at harboreast.net
Thu Dec 15 17:13:45 UTC 2005
Sorry if this is a double post.
I'd like some thoughts on denying cache lookups from foreign resolvers.
Currently I have ACL's setup to allow my customers to use my DNS servers recursively.
I also allow queries from anywhere.
Bind 9.3.1 on Solaris 8.
--CURRENT
options {
allow-recursion { localhost; internal; ex_recurse;};
allow-query { any; };
...
};
The acl's are class C subnets we wish to allow recursion from.
I guess my question is two-fold.
1. If I change the options to be:
options {
allow-recursion { localhost; internal; ex_recurse;};
allow-query { localhost; internal; ex_recurse; };
...
};
and in each zone statement add:
allow-query { any; };
Is there a good chance I'm going to break something? Will this do what I think it will do
which is deny all queries from outside except for authoritative data, while still allowing
my internal nameservers and customers to do recursion and query the cache?
Would the allow-query { any; }; at the zone level superceed the global config? I am thinking
it would.
What should I expect the response to a foreign resolver after I make this change? refused or a referral?
I would think it would return refused because I told it not to answer except for authoritative data or allowed
subnets.
2. Should I even worry about this?
--
Allen Wooden
Harboreast Hosting Solutions
http://www.harboreast.net
allen.wooden at harboreast.net
More information about the bind-users
mailing list