Recursive Domain Query on Restricted Recursive DNS
Kevin Darcy
kcd at chrysler.com
Wed Nov 28 03:18:42 UTC 2007
Nicolas Pence wrote:
> Hi, I need to know how to set up the following solution:
>
> - I have a Recursive DNS that is restricted to only wanted IP ranges,
> running Bind 9.3.2
>
> acl mynet { iprange1/mask; iprange2/mask; iprange3/mask; };
>
> options {
> allow-recursion { mynet; };
> allow-query { mynet; };
> allow-query-cache { mynet; };
> };
>
Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.
>
> - But I see some people with my NS configured doing queries to a domain
> name that
> I really want them to reach, so what I need is to enable queries "only"
> to this domain name
> "subdom.example.com" to anybody who query my server like doing:
>
> allow-query { any; };
>
> - subdom.example.com is not mine so I can't be auth for this domain and
> resolve the issue
> setting a master nor a slave zone.
>
>
> Is this task possible?
>
I think this is doable if you drop the global "allow-recursion"
restriction (which at the global level is extraneous anyway because of
the global allow-query), and then define the zones of interest as "type
stub" with "allow-query" opened up.
"Type slave" should work also, of course, but that would, in addition to
the above, require zone-transfer permission/authority and is likely to
incur more overhead than "type stub" (depending on a variety of factors,
e.g. zone REFRESH setting, whether the remote side supports/honors IXFR,
TTL of the most popularly-queried records, frequency of changes to the
zone, etc.)
- Kevin
More information about the bind-users
mailing list