Query denied errors on PTR records for delegated zone

Geoff Sweet geoff.sweet at wemadeusa.com
Tue Feb 23 01:21:18 UTC 2010


The problem is that editing the options list to:

options {
        directory               "/var/named";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
        allow-query             { any; };
        allow-recursion         { wemadenets; };
};

Allows anyone to make recursive requests for any name against my server.  I don't want that.  By leaving the options list to " allow-query             { localhost; localnets; wemadenets; };" I prevent any ole recursive query (www.google.com for instance) except from my network while still allowing queries to the zones that I host.  However that brings me back to my original problem... it refuses queries for the reverse zone for my IP block.

-Geoff

-----Original Message-----
From: bind-users-bounces+geoff.sweet=wemadeusa.com at lists.isc.org [mailto:bind-users-bounces+geoff.sweet=wemadeusa.com at lists.isc.org] On Behalf Of Robert Spangler
Sent: Monday, February 22, 2010 16:54
To: bind-users at lists.isc.org
Subject: Re: Query denied errors on PTR records for delegated zone

On Monday 22 February 2010 19:26, Geoff Sweet wrote:

>  I have tried several different attempts to make this work, and the only
> change that works is to set in the options allow-query{any;};.  However the
> problem with that is that it then permits anyone to make any query against
> my nameservers and I don't want that.

That the purpose of having a public DNS server? So others can get your public 
DNS information? You want them to be able to query your server for your 
information but not allow recursion.  By only allowing localhost, localnets 
and wemadenets, everyone else is blocked thus they cannot get your 
information.

> Can anyone here offer me some advice as to what I am doing wrong?  For 
reference here is my config file:
>
>  acl wemadenets { 66.150.173.0/26; };
>
>  options {
>          directory               "/var/named";
>          dump-file               "/var/named/data/cache_dump.db";
>          statistics-file         "/var/named/data/named_stats.txt";
>          memstatistics-file      "/var/named/data/named_mem_stats.txt";
>          allow-query             { localhost; localnets; wemadenets; };
>          allow-recursion         { wemadenets; };
>  };

Edit allow-query and allow any.  Then everyone can get your information and 
still not use your server for recursion

I take it you are working off some sort of how-to for this.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list