Query denied errors on PTR records for delegated zone

Geoff Sweet geoff.sweet at wemadeusa.com
Tue Feb 23 01:44:15 UTC 2010


Barry,
  Thank-you for the suggestion, however if you look at the zone config that I included in my original email you will see that what you have suggested is exactly what I have done originally. Each zone has an "allow-query { any; };" setting including the reverse zone that currently doesn't work for some strange reason.

-Geoff

-----Original Message-----
From: bind-users-bounces+geoff.sweet=wemadeusa.com at lists.isc.org [mailto:bind-users-bounces+geoff.sweet=wemadeusa.com at lists.isc.org] On Behalf Of Barry Margolin
Sent: Monday, February 22, 2010 17:41
To: comp-protocols-dns-bind at isc.org
Subject: Re: Query denied errors on PTR records for delegated zone

In article <mailman.523.1266888100.21153.bind-users at lists.isc.org>,
 Geoff Sweet <geoff.sweet at wemadeusa.com> wrote:

> The problem is that editing the options list to:
> 
> options {
>         directory               "/var/named";
>         dump-file               "/var/named/data/cache_dump.db";
>         statistics-file         "/var/named/data/named_stats.txt";
>         memstatistics-file      "/var/named/data/named_mem_stats.txt";
>         allow-query             { any; };
>         allow-recursion         { wemadenets; };
> };
> 
> Allows anyone to make recursive requests for any name against my server.  I 
> don't want that.  By leaving the options list to " allow-query             { 
> localhost; localnets; wemadenets; };" I prevent any ole recursive query 
> (www.google.com for instance) except from my network while still allowing 
> queries to the zones that I host.  However that brings me back to my original 
> problem... it refuses queries for the reverse zone for my IP block.

Since you have "allow-query {wemadenets;};", clients outside that 
network will NOT be allowed to make recursive requests against your 
server.

But if you really don't want to change the allow-query option, you can 
put "allow-query {any;};" within all the zone stanzas.  That will just 
allow public queries for those zones, not for recursive or cached data.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list