allow query / allow recursion confusion

Kal Feher kal.feher at melbourneit.com.au
Mon Jun 25 22:43:18 UTC 2007


Your global option:
allow-query { our-nets; };

Means only those networks listed in the our-nets acl can hit the cache. Your
external tests will not, I presume, have matched this acl.

This behaviour can be over ridden on a per zone basis as well.

HTH

On 26/6/07 7:16 AM, "Nick" <kvetch at gmail.com> wrote:

> I appreciate all the help but I am still a little confused.
> So then if allow-recursion is not set I should be able to query items
> in that server's cache from outside the our-net, right?
> For some reason I don't seem to be able to accomplish this with my
> BIND 9.3.0 installation.  I don't specify allow with recursion on or
> off, just commented.  I tested by doing a lookup of yahoo.com from an
> internal box
> # dig @ns1.myserver.com yahoo.com
> I got a response back with a ttl of 300.
> Then I went to a box outside the network and tried to look it up from
> the servers cache but it got refused.
> On the box outside network I did -
> # dig @ns1.myserver.com yahoo.com
> ............
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53934
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;yahoo.com.                     IN
> ..............
> 
> Why would it be refused, shouldn't it be in cache?
> Here is what my conf basically looks like.  Currently it is not split
> into internal and external, this box just handles external.
> acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 172.16.0.0/12;
> };
> acl our-nets { 192.168.0.0/24; 192.168.1.0/24; 192.168.3.0/24; };
> #
> options {
>         directory "/var/named";
>         pid-file "named.pid";
>         statistics-file "/var/log/named/named.stats";
>         zone-statistics yes;
>         listen-on-v6 { none; };
>         allow-query { our-nets; };
> #       allow-recursion { our-nets; };
>         blackhole { bogusnets; };
> 
> };
> 
> logging {
>         category default { named_info; };
>         category lame-servers { null; };
> 
>         channel query_info {
>                 file "/var/log/named/querylog" versions 24 size 100m;
>                  severity info;
>                  print-category yes;
>                  print-time yes;
>          };
> 
>         channel named_info {
>                 file "/var/log/named/namedlog" versions 10 size 30m;
>                  severity info;
>                  print-category yes;
>                  print-time yes;
>          };
> 
>         category queries { query_info; };
>         category resolver { query_info; };
> 
> };
> 
> zone "domain.com" {
>         type master;
>         file "domain.com.dns";
>         allow-transfer{ none; };
>         allow-query{ any;};
> };
> 
> zone "domain2.com" {
>         type master;
>         file "domain2.com.dns";
>         allow-transfer{ none; };
>         allow-query{ any;};
> };
> 
> Thanks,
> Nick
> 
> On 6/21/07, Kal Feher <kal.feher at melbourneit.com.au> wrote:
>> 
>> 
>> 
>> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>> 
>>> 
>>> Doesn't setting
>>> 
>>>    recursion no;
>>> 
>>> do that too?
>> No, I'll elaborate below from the 9.4 ARM:
>> 
>> "allow-recursion
>> 
>> Note that disallowing recursive queries for a host does not prevent the host
>> from retrieving data that is already in the server's cache."
>> 
>> and
>> 
>> "recursion
>> 
>>      Note that setting recursion no does not prevent clients from getting
>> data from the server's cache; it only prevents new data from being cached as
>> an effect of client queries. Caching may still occur as an effect the
>> server's internal operation, such as NOTIFY address lookups."
>> 
>> So we now use:
>> 
>> "allow-query-cache
>> 
>>     Specifies which hosts are allowed to get answers from the cache. The
>> default is the builtin acls localnets and localhost. "
>> 
>> 
>> HTH
>> 
>> 
>> 
>> 
>> 
>> --
>> Kal Feher
>> 
>> 
>> 
> 
> 

-- 
Kal Feher



More information about the bind-users mailing list