open recursion/cache problem

Jeffrey Williams jeff at sailorfej.net
Thu Aug 24 19:15:25 UTC 2006


I am running bind 9.3.2 on FreeBSD 6.1

I want to limit recursive queries to my systems on my own subnet, 
following is my named.conf:

acl bogusnets {
         0.0.0.0/8; 10.0.0.0/8; 192.168.0.0/16;
172.16.0.0/12; 169.254.0.0/16;
         192.0.2.0/24; 224.0.0.0/4; 240.0.0.0/4;
         };
acl mynets { x.x.x.0/24; };

options {
         directory "/etc/namedb";
         pid-file "/var/run/named/pid";
         dump-file "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";
         version "not really";
         allow-recursion { mynets; };
         blackhole { bogusnets; };
         forwarders {
                 my.isp.ns1.34;
                 my.isp.ns2.14;
                 };
         };

I have tested recursive query status with dnsreport and the following tool:

http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl

both indicate I am running a non-recursive DNS for domains I am not 
authoritative for.

But when I do a dig from a client not on my allowed subnet I am getting 
answers for domains I nameserver is not authoritative for, see below:

me at myhomecomp:~> dig @my.ns1.com www.microsoft.com

; <<>> DiG 9.3.0 <<>> @my.ns1.com www.microsoft.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
61728
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY:
0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.microsoft.com.             IN      A

;; ANSWER SECTION:
www.microsoft.com.      352     IN      CNAME
toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 52    IN      CNAME
g.www.ms.akadns.net.
g.www.ms.akadns.net.    52      IN      CNAME
lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net.  52      IN      A
207.46.225.60
lb1.www.ms.akadns.net.  52      IN      A
207.46.20.30
lb1.www.ms.akadns.net.  52      IN      A
207.46.20.60
lb1.www.ms.akadns.net.  52      IN      A
207.46.19.30
lb1.www.ms.akadns.net.  52      IN      A
207.46.199.60
lb1.www.ms.akadns.net.  52      IN      A
207.46.198.30
lb1.www.ms.akadns.net.  52      IN      A
207.46.19.60
lb1.www.ms.akadns.net.  52      IN      A
207.46.199.30

;; Query time: 12 msec
;; SERVER: x.x.x.20#53(my.ns1.com)
;; WHEN: Thu Aug 24 11:20:08 2006
;; MSG SIZE  rcvd: 235

me at myhomecomp:~>

Now I did see the a forum thread that said that the allow-recursion 
{acl} option will not stop the nameserver from answering queries for 
entries already cached, short of turning off caching, is their any other 
way to restrict external queries for domains I not authoritative for? 
even if they are cached?

Thanks
Jeff



More information about the bind-users mailing list