Bind 9 allow-recursion limited to localhost

Kevin Darcy kcd at daimlerchrysler.com
Wed Aug 16 22:29:21 UTC 2006 

Answering from cache doesn't require recursion, so allow-recursion has 
no effect on it.

Solutions:
1) Use separate views for inside versus outside, with recursion turned 
off for the "outside" view (this will result in a "root referral" being 
returned if something outside of your hosted zones is queried),
2) Only allow queries from your internal clients by default, and then 
override that default with an "allow-query { any; };" on each and every 
zone you host to the Internet (this will result in a REFUSED response 
being returned for queries outside of your hosted zones), or
3) Wait until BIND 9.4.0 comes out, since it addresses this need with 
"allow-query-cache", see http://www.isc.org/sw/bind/bind9.4-beta.php 
(REFUSED also).

                                                                         
                  - Kevin


dan_delspam at edenpics.com wrote:
> Hello.
>
> I am trying to setup a DNS that is a master for the world and a caching
> name server for the localhost only.
> I have been able to setup something quite near of this, but here is my
> problem:
>
> When I do a query of an external domain name from the outside, the
> query is properly blocked. However, if I do query the server from my
> server (localhost) for the same domain name, and then try the first
> operation of querying the server from the outside, then the query is
> successful that time.
>
> To be clearer:
>
> 1. external query blocks ok:
> from ip 192.168.0.100: nslookup google.com 192.168.0.1
> *** Can't find google.com: No answer
>
> 2. internal query works fine as wanted:
> from ip 192.168.0.1: nslookup google.com 192.168.0.1
> Name:   google.com
> Address: 64.233.167.99
>
> 3. external query like point 1 again is accepted this time:
> from ip 192.168.0.100: nslookup google.com 192.168.0.1
> Name:   google.com
> Address: 64.233.167.99
>
> It's like if the 'allow-recursion' directive would not allow to make a
> recursion (relaying the request to the source DNS server), but would
> still allow external requests to access the internal cache of the DNS.
> I don't know if this is the normal behaviour, bu my question is to know
> if there is a way to block all requests of domain which are not my
> master domain names for the outside.
> I thought that this directive would take care of it, but it doesn't
> seem so.
> Can someone also try that and tell me if this is happening elsewhere or
> if this is a misconfiguration of my DNS ?
>
> I am using Bind 9.2.4-2 on a CentOS 4.3 server.
>
> Here is my configuration file (top only, the rest are only zones):
>
> options {
>         directory "/var/named";
>         recursion yes;  // prevent caching for all by default,
> overridden below.
>         allow-recursion {127.0.0.1;};
>         dump-file "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         query-source port 53; // because firewall allows port 53 only
>         allow-transfer {"none"; };  // transfer will be allowed per
> zone below.
> };
>
> controls {
>         inet 127.0.0.1 allow { "none"; };
> };
>
> Thanks for any help.
> Daniel
>
>
>
>
>
>

More information about the bind-users mailing list