Preventing recursion ... (preventing confusion?)

Jeff Lightner jlightner at water.com
Wed Jul 30 17:05:56 UTC 2008 

On my RHEL5 box the way I insured neither cache lookups nor recursive
lookups would work for outsiders was modify named conf to have:

1)  options section:
        allow-query { internaldns; externaldns; };
        allow-recursion { internaldns; externaldns; };

2)  Create ACLs named internaldns and externaldns which specified IPs or
ranges of IPs that I wanted to allow to do recursive and cache lookups.

3)  Modify each zone section to include:
        allow-query { any; };

The options section is global so restricts queries (including cache) and
recursion to only the IPs defined in the ACLs.   The modification of the
zone sections allows anyone (whether there in the ACLs or not) to do
queries of the zones for which we're authoritative.

Note this was on the RHEL5 patched version of 9.3.4-P1 which has also
been back ported to have the new exploit port randomization fix.   I
believe it would work for the version you noted as well.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Peter Laws
Sent: Wednesday, July 30, 2008 12:44 PM
To: Jeremy C. Reed
Cc: bind-users at isc.org
Subject: Re: Preventing recursion ... (preventing confusion?)

Jeremy C. Reed wrote:
> With older versions, a workaround is to have a default allow-query for
> just your local networks (like your allow-recursion) in the options
and
> then open up allow-query { any; }; just within your specific zone
> statements.

Clearly, RH hasn't back-ported that feature.

The work-around gives the desired e-finger.

Many thanks!

-- 
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list