Preventing recursion ... (preventing confusion?)

[Barry Margolin]

In article <g6sm76$14qa$1 at sf1.isc.org>,
 "Jeff Lightner" <jlightner at water.com> wrote:

> I'm using 9.3.4-P1 (backported for the exploit) on RHEL5 so had to do it
> this way.   For later BIND versions you're correct based on the reading
> I did at the time.

I'm pretty sure allow-query has always worked the way I describe.  If 
you're not allowed to query at all, it doesn't matter whether you're 
allowed to recurse.  The query is rejected before it ever checks whether 
the client is in the recursion ACL.

> 
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Barry Margolin
> Sent: Wednesday, July 30, 2008 10:55 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: Preventing recursion ... (preventing confusion?)
> 
> In article <g6q7bj$1tu0$1 at sf1.isc.org>,
>  "Jeff Lightner" <jlightner at water.com> wrote:
> 
> > On my RHEL5 box the way I insured neither cache lookups nor recursive
> > lookups would work for outsiders was modify named conf to have:
> > 
> > 1)  options section:
> >         allow-query { internaldns; externaldns; };
> >         allow-recursion { internaldns; externaldns; };
> 
> Of course, if you're restricting allow-query, you don't need to specify 
> allow-recursion.  Allow-recursion is only needed when it's more 
> restrictive than allow-query.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***