query cache and BIND 9.4.1-P1
Chris Buxton
cbuxton at menandmice.com
Fri Jul 27 18:34:52 UTC 2007
Starting in 9.4, the following have become the defaults:
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };
Note that, starting in the most recent version, these two are linked
by default - you can set one, and if you don't set the other, the
other will be set to match. So all you need to do is:
allow-recursion { trusted-nets; };
This assumes you have defined a list of trusted networks as an ACL.
Otherwise, replace "trusted-nets" with the actual subnet(s) you
intend to allow recursion for.
Chris Buxton
Men & Mice
On Jul 27, 2007, at 11:14 AM, Barry Finkel wrote:
> I was running BIND 9.3.4, and this morning on two of our four servers
> I upgraded to BIND 9.4.1-P1. On one interal DNS server I see in the
> syslog:
>
> Jul 27 10:25:05 dns1 named[12597]: [ID 873579 daemon.info]
> client 146.139.76.39#1825: query (cache) 'www.msn.com/A/IN'
> denied
>
> I see in the 9.4.1-P1 README file:
>
> New option "allow-query-cache". This lets allow-query be
> used to specify the default zone access level rather than
> having to have every zone override the global value.
> allow-query-cache can be set at both the options and view
> levels. If allow-query-cache is not set allow-query applies.
>
> Would I need to make any configuration changes to allow my internal
> clinets access to the 9.4.1-P1 DNS cache? The README text above
> sems to imply that I would not have to make any changes. I have no
>
> allow-query
>
> statements in the BIND 9.3.4 configuration file.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 222, Room D209 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
>
>
More information about the bind-users
mailing list