open recursion/cache problem
Kevin Darcy
kcd at daimlerchrysler.com
Tue Aug 29 17:57:35 UTC 2006
Stefan Schmidt wrote:
> On Tue, Aug 29, 2006 at 12:31:10PM +0100, Chris Thompson wrote:
>
>>> He asked to specifically limit recursive queries to his IP space as he
>>> also has zones he is authorative for that need to get served - so he
>>> cannot just block all queries recursive or otherwise.
>>>
>> That's _why_ Barry said
>>
>> Then in all the public zone definitions, add "allow-query{any;};"
>>
>> Specifying allow-query in a zone statement overrides the value in the
>> options statement, for queries for records within that zone.
>>
>
> Right, i misread him then.
> I separated authorative and recursive nameservers long ago - which is what
> i would strongly recommend doing if you have more than just a few zones
> to manage btw. - so i forgot about the following:
>
> allow-recursion
> Specifies which hosts are allowed to make recursive queries through
> this server. If not specified, the default is to allow recursive
> queries from all hosts. Note that disallowing recursive queries
> for a host does not prevent the host from retrieving data that is
> already in the server's cache.
>
> For Jeffreys setup this means that clients not listed in allow-recursion
> will not be able to trigger named to issue any recursive action but
> will be shown the contents of what it already cached which we might call
> minor information leakage.
>
> IMO there should be an option that prevents non-authorative zones from
> beeing queried. This way the above would become more clear.
> Say allow-recursive-clients-from or something similar.
>
>
BIND 9.4.0 has "allow-query-cache" (from CHANGES):
New option "allow-query-cache". This lets allow-query be
used to specify the default zone access level rather than
having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels. If allow-query-cache is not set allow-query applies.
- Kevin
More information about the bind-users
mailing list