questions on bind cache with views

Young H. armywide at
Thu Dec 17 14:44:07 UTC 2009

On Thu, Dec 17, 2009 at 10:16 PM, Cathy Almond <cathya at> wrote:

> There are three configuration settings that are relevant to what you're
> trying to do.
> allow-query - this controls who is allowed to query the nameserver at
> all.  The default if undefined is to allow any.
> allow-recursion - this controls who is allowed to make recursive queries
> of your nameserver.  Usually you don't want everyone to be able to do
> this which is why the default behaviour is restrictive.
> allow-query-cache - this one is subtle - it controls who is allowed to
> be given answers from cached data.  That's not quite the same as
> allow-recursion because if the answer is not available in cache the
> nameserver won't go out to find it.
> Both allow-recursion and allow-query-cache default to each other (if one
> is specified but not the other).
> If neither is specified, but allow-query IS defined (in other words it
> doesn't just default), then they both use what is set in allow-query.
> If nothing at all is defined, then (with recursion yes;) they both
> default to { localhost; localnets; };
> Therefore to make recursion work for you, you need to configure one of
> allow-recursion and allow-query-cache.
> If you want to make a difference between access to cache and to
> recursion, then you need to configure both allow-query-cache and
> allow-recursion.
> Currently with none of them specified at all you are getting this:
> allow-query { any; };
> allow-query-cache { localhost; localnets; };
> allow-recursion { localhost; localnets; };
> The behaviour of all of these settings is described in the Administrator
> Reference Manual (ARM) which is distributed with BIND and is also
> available on the ISC website:

Thanks Cathy.
Your explaining is so nice that I have fully understanded for it.
btw, is the current named secure enough even under the highest strict
environment (like a military application)?
Thanks again.

More information about the bind-users mailing list