Best allow-query setting on an authoritative-only nameserver
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 3 01:15:28 UTC 2007
In practical terms, I don't think it really matters much. Either way,
the requestor isn't going to get any useful information back. Either
way, if someone is so incompetent or malicious as to delegate a zone to
your nameservers, for which you are non-authoritative/lame, then any
reasonable caching resolver following that lame delegation is going to
mark you as lame for the zone regardless of whether the response is
REFUSED or an upwards referral.
In theory, REFUSED might save you a few octets in your responses, but
probably not enough to make any significant difference in your network
traffic. On the downside, REFUSED might possibly -- again, in _theory_
-- heighten curiosity and thus increase the incidence of probing (they
might think you have a *real* example.com zone defined, with sensitive
information in it, and you're just blocking their particular address
range from querying it).
Again, I don't think it really matters much...
- Kevin
Chris Thompson wrote:
> The scenario is a nameserver with "recursion no" in options and
> each zone statement having its own explicit "allow-query" setting
> (mostly "any"). This is intended only as an authoritative server
> for a number of zones.
>
> Question: what is the best setting for "allow-query" in options,
> which applies only to queries not in any of those zones? Or perhaps
> better, what are the pros and cons of "allow-query {none;};" versus
> "allow-query {any;};" in this context? Is it better to reply REFUSED
> or to give a referral to the root nameservers? (I suppose one should
> also distinguish between "better for us" and "better for them".)
>
> To be honest, not _quite_ all the zones have their own allow-query
> in the case I am thinking of. "localhost", "0.0.127.in-addr.arpa",
> etc. inherit the setting from options.
>
> BIND 9.3.4 incidentally, so allow-query-cache not relevant yet.
>
>
More information about the bind-users
mailing list