BIND 9 and BIND 8 issue

[Stefan Schmidt]

On Fri, Feb 27, 2009 at 11:39:40AM +0800, bradonkuo wrote:
> Dear all bind users,

Hi Brandon,

> I am new to manage 3 BIND 9 servers, lately, I got some complains about users cannot connect to 
> some websites while they use our BIND 9 servers, this issue will be solved if they use other
> ISP's BIND 8 servers, one example is as below. Can we modify any configurations of BIND 9 server to
> solve this issue so that users don't need to change anything?

I can only take wild guesses here as i don't know about the
configuration of your BIND9 servers but let me assure you that you won't
need to downgrade to BIND8 in order to provide recursive DNS to your
users, BIND9 is totally capable of that but there has been a change in
the default configuration meaning that it no longer does allow recursive
queries by default. You would have to enable that in your configuration
via the following statements:
options {
	recursion yes;
	allow-query {
		0.0.0.0/0;
		# is most likely what you want here
		# as per its name your server
		# looks very much like its also an authoritative
		# nameserver.
	};
	allow-recursion {
		192.168.0.0/16;
		# or substitute/add this by the network ranges your
		# institution uses for its clients
	}
};

Please let me stress on some things:
- It is best current practice to separate your recursive Nameservice
  from your authoritative Nameservice, its just more tidy and sane. [1]
  So what you really _should_ do is urge your users to use a separate
  recursive [3] DNS Server you provide them with instead of your
  authoritative. [4]
- BIND8 is deprecated and _should_ be rolled out of production wherever
  possible. [2]

[1] http://cr.yp.to/djbdns/separation.html
[2] https://www.isc.org/software/bind/security
[3] http://en.wikipedia.org/wiki/Domain_name_system#DNS_resolvers
[4] http://en.wikipedia.org/wiki/Name_server#Authoritative_name_server

	Stefan
-- 
printk(CARDNAME": Bad Craziness - sent packet while busy.\n" );
        linux-2.6.6/drivers/net/smc9194.c