Preventing recursion ... (preventing confusion?)
Barry Margolin
barmar at alum.mit.edu
Fri Aug 1 01:55:48 UTC 2008
In article <g6sm76$14qa$1 at sf1.isc.org>,
"Jeff Lightner" <jlightner at water.com> wrote:
> I'm using 9.3.4-P1 (backported for the exploit) on RHEL5 so had to do it
> this way. For later BIND versions you're correct based on the reading
> I did at the time.
I'm pretty sure allow-query has always worked the way I describe. If
you're not allowed to query at all, it doesn't matter whether you're
allowed to recurse. The query is rejected before it ever checks whether
the client is in the recursion ACL.
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Barry Margolin
> Sent: Wednesday, July 30, 2008 10:55 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: Preventing recursion ... (preventing confusion?)
>
> In article <g6q7bj$1tu0$1 at sf1.isc.org>,
> "Jeff Lightner" <jlightner at water.com> wrote:
>
> > On my RHEL5 box the way I insured neither cache lookups nor recursive
> > lookups would work for outsiders was modify named conf to have:
> >
> > 1) options section:
> > allow-query { internaldns; externaldns; };
> > allow-recursion { internaldns; externaldns; };
>
> Of course, if you're restricting allow-query, you don't need to specify
> allow-recursion. Allow-recursion is only needed when it's more
> restrictive than allow-query.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list