denying external cache lookups.

Barry Margolin barmar at alum.mit.edu
Fri Dec 16 00:23:50 UTC 2005


In article <dnsch0$1h2u$1 at sf1.isc.org>,
 Allen Wooden <awooden at harboreast.net> wrote:

> I guess my question is two-fold.
> 1. If I change the options to be:
> options {
> 	allow-recursion { localhost; internal; ex_recurse;};
>         allow-query { localhost; internal; ex_recurse; };
>         ...
> };
> 
> and in each zone statement add:
> allow-query { any; };
> 
> Is there a good chance I'm going to break something? Will this do what I 
> think it will do 
> which is deny all queries from outside except for authoritative data, while 
> still allowing
> my internal nameservers and customers to do recursion and query the cache? 
> Would the allow-query { any; }; at the zone level superceed the global 
> config? I am thinking 
> it would.

You're doing it exactly right.  You shouldn't have any problems.

> What should I expect the response to a foreign resolver after I make this 
> change? refused or a referral?
> I would think it would return refused because I told it not to answer except 
> for authoritative data or allowed
> subnets. 

Correct.  The only exception might be if they ask about a delegated 
subdomain of one of your authoritative zones -- in that case I think 
you'll return the delegation.

> 2. Should I even worry about this?

If you're getting lots of unauthorized queries, and it's causing 
excessive load on your server, it's certainly a good idea.

It's also possible that someone could make use of recursive queries to 
cause your cache to be poisoned, which would then impact your authorized 
users.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list