Recursive Domain Query on Restricted Recursive DNS

Kevin Darcy kcd at chrysler.com
Wed Nov 28 03:18:42 UTC 2007


Nicolas Pence wrote:
> Hi, I need to know how to set up the following solution:
>  
> - I have a Recursive DNS that is restricted to only wanted IP ranges,
> running Bind 9.3.2
>  
> acl mynet { iprange1/mask; iprange2/mask; iprange3/mask; };
>  
> options {
> allow-recursion { mynet; };
> allow-query { mynet; };
> allow-query-cache { mynet; };
> };
>   
Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.

>  
> - But I see some people with my NS configured doing queries to a domain
> name that
> I really want them to reach, so what I need is to enable queries "only"
> to this domain name 
> "subdom.example.com" to anybody who query my server like doing:
>  
> allow-query { any; };
>  
> - subdom.example.com is not mine so I can't be auth for this domain and
> resolve the issue 
> setting a master nor a slave zone.
>  
>  
> Is this task possible? 
>   
I think this is doable if you drop the global "allow-recursion" 
restriction (which at the global level is extraneous anyway because of 
the global allow-query), and then define the zones of interest as "type 
stub" with "allow-query" opened up.

"Type slave" should work also, of course, but that would, in addition to 
the above, require zone-transfer permission/authority and is likely to 
incur more overhead than "type stub" (depending on a variety of factors, 
e.g. zone REFRESH setting, whether the remote side supports/honors IXFR, 
TTL of the most popularly-queried records, frequency of changes to the 
zone, etc.)

                                                                         
                           - Kevin




More information about the bind-users mailing list