DNS Cache Snooping?

Jeff Lightner jlightner at water.com
Tue Jun 24 14:30:08 UTC 2008


My apologies - On rereading it I guess I misinterpreted what it said.
It had mentioned BIND 9.3 then it said "Prior to BIND 9.4.1-P1" later
then went back to a comment about BIND 9.3 so in my head "Prior to BIND
9.4.1-P1" meant BIND 9.3 due to the mentions before and after.

The link was mentioned by me earlier in thread:
http://www.isc.org/index.pl?/sw/bind/docs/support_bulletin_200707.php

The section of the link I misread:

"In BIND 9.3, there was no segregation of queries between cache and
authoritative data.

The release of BIND 9.4 added fine-grained differentiation between
queries against authoritative data ("allow-query") and cached data
("allow-query-cache"). This allows more precise control, particularly if
you do not want your clients to use any cached data, for example, in an
authoritative-only nameserver.

Prior to the release of BIND 9.4.1-P1, the default action of
"allow-recursion" and "allow-query-cache" was to permit the query. The
P1 patch to BIND 9.4.1 caused two changes in this behavior:

1) If not explicitly set, the ACLs for "allow-query-cache" and
"allow-recursion" were set to "localnets; localhost;".

2) If either "allow-query-cache" or "allow-recursion" was set, the other
would be set the same value.

Upgrading from the BIND 9.3 branch to BIND 9.4.1-P1 will significantly
restrict those servers that were previously recursive servers for more
than "localhost; localnets;" unless configuration changes are made."


-----Original Message-----
From: Jeremy C. Reed [mailto:Jeremy_Reed at isc.org] 
Sent: Tuesday, June 24, 2008 10:17 AM
To: Jeff Lightner
Cc: comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?

On Tue, 24 Jun 2008, Jeff Lightner wrote:

> Thanks.  I'd pretty much come to that conclusion based on my searches.
> I guess that means the link even though it is on ISC's site is
> incorrect.

Can you point me to the incorrect information?

Thanks.

(Also note that the earlier reply also gave a different solution without

using allow-query-cache.)
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


More information about the bind-users mailing list