allow query / allow recursion confusion

Nick kvetch at gmail.com
Mon Jun 25 21:16:15 UTC 2007


I appreciate all the help but I am still a little confused.
So then if allow-recursion is not set I should be able to query items
in that server's cache from outside the our-net, right?
For some reason I don't seem to be able to accomplish this with my
BIND 9.3.0 installation.  I don't specify allow with recursion on or
off, just commented.  I tested by doing a lookup of yahoo.com from an
internal box
# dig @ns1.myserver.com yahoo.com
I got a response back with a ttl of 300.
Then I went to a box outside the network and tried to look it up from
the servers cache but it got refused.
On the box outside network I did -
# dig @ns1.myserver.com yahoo.com
............
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53934
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;yahoo.com.                     IN
..............

Why would it be refused, shouldn't it be in cache?
Here is what my conf basically looks like.  Currently it is not split
into internal and external, this box just handles external.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 172.16.0.0/12; };
acl our-nets { 192.168.0.0/24; 192.168.1.0/24; 192.168.3.0/24; };
#
options {
        directory "/var/named";
        pid-file "named.pid";
        statistics-file "/var/log/named/named.stats";
        zone-statistics yes;
        listen-on-v6 { none; };
        allow-query { our-nets; };
#       allow-recursion { our-nets; };
        blackhole { bogusnets; };

};

logging {
        category default { named_info; };
        category lame-servers { null; };

        channel query_info {
                file "/var/log/named/querylog" versions 24 size 100m;
                 severity info;
                 print-category yes;
                 print-time yes;
         };

        channel named_info {
                file "/var/log/named/namedlog" versions 10 size 30m;
                 severity info;
                 print-category yes;
                 print-time yes;
         };

        category queries { query_info; };
        category resolver { query_info; };

};

zone "domain.com" {
        type master;
        file "domain.com.dns";
        allow-transfer{ none; };
        allow-query{ any;};
};

zone "domain2.com" {
        type master;
        file "domain2.com.dns";
        allow-transfer{ none; };
        allow-query{ any;};
};

Thanks,
Nick

On 6/21/07, Kal Feher <kal.feher at melbourneit.com.au> wrote:
>
>
>
> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>
> >
> > Doesn't setting
> >
> >    recursion no;
> >
> > do that too?
> No, I'll elaborate below from the 9.4 ARM:
>
> "allow-recursion
>
> Note that disallowing recursive queries for a host does not prevent the host
> from retrieving data that is already in the server's cache."
>
> and
>
> "recursion
>
>      Note that setting recursion no does not prevent clients from getting
> data from the server's cache; it only prevents new data from being cached as
> an effect of client queries. Caching may still occur as an effect the
> server's internal operation, such as NOTIFY address lookups."
>
> So we now use:
>
> "allow-query-cache
>
>     Specifies which hosts are allowed to get answers from the cache. The
> default is the builtin acls localnets and localhost. "
>
>
> HTH
>
>
>
>
>
> --
> Kal Feher
>
>
>



More information about the bind-users mailing list