open recursion/cache problem

Kevin Darcy kcd at daimlerchrysler.com
Tue Aug 29 17:57:35 UTC 2006


Stefan Schmidt wrote:
> On Tue, Aug 29, 2006 at 12:31:10PM +0100, Chris Thompson wrote:
>   
>>> He asked to specifically limit recursive queries to his IP space as he
>>> also has zones he is authorative for that need to get served - so he
>>> cannot just block all queries recursive or otherwise.
>>>       
>> That's _why_ Barry said
>>
>>   Then in all the public zone definitions, add "allow-query{any;};"
>>
>> Specifying allow-query in a zone statement overrides the value in the 
>> options statement, for queries for records within that zone.
>>     
>
> Right, i misread him then.
> I separated authorative and recursive nameservers long ago - which is what
> i would strongly recommend doing if you have more than just a few zones
> to manage btw. - so i forgot about the following:
>
> allow-recursion
>     Specifies which hosts are allowed to make recursive queries through
>     this server. If not specified, the default is to allow recursive
>     queries from all hosts. Note that disallowing recursive queries
>     for a host does not prevent the host from retrieving data that is
>     already in the server's cache. 
>
> For Jeffreys setup this means that clients not listed in allow-recursion
> will not be able to trigger named to issue any recursive action but
> will be shown the contents of what it already cached which we might call
> minor information leakage.
>
> IMO there should be an option that prevents non-authorative zones from
> beeing queried. This way the above would become more clear.
> Say allow-recursive-clients-from or something similar.
>
>   
BIND 9.4.0 has "allow-query-cache" (from CHANGES):

    New option "allow-query-cache". This lets allow-query be
    used to specify the default zone access level rather than
    having to have every zone override the global value.
    allow-query-cache can be set at both the options and view
    levels. If allow-query-cache is not set allow-query applies.

					- Kevin







More information about the bind-users mailing list