BIND 9.4.1-P1: "allow-query" and "allow-query-cache"
Chris Buxton
cbuxton at menandmice.com
Mon Oct 22 17:27:45 UTC 2007
With the two settings you describe, an outsider will be able to query
your server for any authoritative data that it has. This includes
zones of type master and slave. It does not affect zones of type hint
or forward, which control how your server performs recursion in
response to recursive queries. (Since allow-query-cache is set to
{ none; }, your server will not perform recursion unless you re-
enable it for specific domains.)
Stub zones are interesting, because they not only control how your
server reacts to recursive queries, they can also be used to create
delegations from your zone to a child zone. I think data from these
zones could be returned by your server as a referral.
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton at menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to
which it is addressed. If the reader of this message is not the
intended recipient, you are hereby notified that any retention,
dissemination, distribution or copy of this e-mail is strictly
prohibited. If you have received this e-mail in error, please notify
us immediately by reply e-mail and immediately delete this message
and all its attachment.
On Oct 20, 2007, at 12:38 PM, Merton Campbell Crockett wrote:
> I've recently gotten around to upgrading from BIND 8.3.7-REL to BIND
> 9.4.1-P1. I would like to have a better understanding of the "allow-
> query" and "allow-query-cache" options.
>
> Assuming that I have "allow-query { any; };" and "allow-query-cache
> { none; };" set in the global options for a name server, what
> information can an external system access on the name server?
>
> I presume that the external system can access information regarding
> any zone defined as "type master;". Does this hold true when there
> are no NS resource records identifying the name server as
> authoritative for the zone?
>
> Can external systems access information regarding any zone defined as
> "type slave;"? Again, does this hold true when there are no NS
> resource records identifying the name server as authoritative for the
> zone?
>
> What information is accessible for zones defined as "type stub;" and
> "type forward;"?
>
> Merton Campbell Crockett
> m.c.crockett at roadrunner.com
>
>
>
>
More information about the bind-users
mailing list