Open DNS Server

Mark Andrews Mark_Andrews at isc.org
Sat Aug 12 14:19:29 UTC 2006


> >
> > I think it is always a good idea that if you have an external facing
> > dns server that you disable recursive lookups on it.  I don't know what
> > sort of situation you're in, but I would normally recommend two
> > different servers, one for the internal network (read: not externally
> > accessible), and one for the external network (read: internet
> > accessible).  However, depending on your situation, if you only have
> > one server to dedicate for this, you can set it so that it only allows
> > recursive lookups for internal IP addresses:
> >
> >       allow-recursion { 127.0.0.1; 192.168.0.0/24; };
> >
> > in the options section of your bind config.
> 
> Even so, with this line in my bind config a query from a remote host
> fails. However, if I fire that same query from the internal network it
> succeeds.
> 
> This is intended.
> 
> If you then retest that query from the remote host it also succeeds.
> 
> So initial queries fail, but succesfull queries from the internal lan will
> build a cache and it will even return those results to a remote host
> quering for that same name. Not sure if that was intended or not.
> 
> This in Bind 9.2.1 which is shipped with debian. 3.1

	Upgrade.  BIND 9.2.1 is ancient.
 
> Kind regards,
> 
> Seth
> 
> 

	allow-recusion { acl; };
	allow-query { acl; };

	zone ... {
		...
		allow-query { any; };
	};

	...

	zone ... {
		...
		allow-query { any; };
	};

	9.4.0 has allow-query-cache.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list