a question on view [bind9]
Brad Knowles
brad at stop.mail-abuse.org
Tue Oct 4 16:22:50 UTC 2005
At 11:59 AM +0200 2005-10-04, per engelbrecht wrote:
> Note: "DNS and BIND" + "DNS & BIND Cookbook" both advertises the use of
> 'recursion no;' for external view, while bind9arm uses 'allow-recursion
> { internals; externals; };' for external view.
> The 'externals' has an acl of 'any;' giving 'recursion yes;' ....
> However, if I use 'recursion no;' nothing works.
> "Well set it to yes then, stupid" you might think, but I don't like the
> idea of having recursion yes; for the public.
> Maybe I've read it wrong, but 'recursion no;' gives a non-working result
> no matter what.
You want recursion set to "no" for any IP address coming from
outside your network. You want to be able to give them answers for
the domains you own, but nothing else.
Recursion should be set to "yes" for all internal IP addresses,
if you're going to mix both functions on the same machine.
IMO, this is not safe, and you should at least run a totally
separate instance of BIND listening to the internal network (and
allowing recursion), with the other instance of BIND listening to the
external network (and not allowing recursion). Or, run BIND on two
totally separate machines.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list