allow query / allow recursion confusion
Clenna Lumina
savagebeaste at yahoo.com
Thu Jun 21 03:14:41 UTC 2007
Barry Margolin wrote:
> In article <f5blac$1roq$1 at sf1.isc.org>, Nick <kvetch at gmail.com> wrote:
>
>> An acl line of "allow-query { our-nets; };" would globally only allow
>> queries from our designated IP's but deny queries from everyone else,
>> correct?
>> With the acl line above and with the line "allow-query { any; };" in
>> a zone it would then allow this zone to be queried from anyone in the
>> world. Basically overriding the global setting but only on this
>> zone.
>>
>> From my understanding the "allow recursion", enables or disables
>> boxes from looking up domains that this box doesn't handle the zones
>> for. So an acl line like "allow-recursion { our-nets; };" would only
>> allow IP's within our network to lookup other domains and block
>> everyone else from querying some domain, right?
>
> The main difference is that if someone is not in the "allow-recursion"
> ACL they'll be allowed to query data that is already in your server's
> cache. So if an internal user looks up www.google.com, external users
> will be able to look this up until the cached record expires (and in
> the case of a popular name like this, it will probably be in cache
> most of the time).
> BIND 9.4 adds a new option, I think called "allow-query-cache", that
> does what most people wanted "allow-recursion" to do.
Doesn't setting
recursion no;
do that too?
--
CL
More information about the bind-users
mailing list