Query denied errors on PTR records for delegated zone

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Feb 23 09:07:04 UTC 2010


On 22.02.10 17:21, Geoff Sweet wrote:
> The problem is that editing the options list to:
> 
> options {
>         directory               "/var/named";
>         dump-file               "/var/named/data/cache_dump.db";
>         statistics-file         "/var/named/data/named_stats.txt";
>         memstatistics-file      "/var/named/data/named_mem_stats.txt";
>         allow-query             { any; };
>         allow-recursion         { wemadenets; };
> };
> 
> Allows anyone to make recursive requests for any name against my server. 
> I don't want that.

You want anyone not to send you recursive? Well, call them by phone and ask
them not to do so.

You want the recursive requests not to reach your server? Put a DNS
inspecting firewall in front of your server...

You want the recursive requests not to be resolved? That is exactly the
options above say. Anyone can query, but recursive requests will be answered
only if they come from wemadenets.

>  By leaving the options list to " allow-query {
> localhost; localnets; wemadenets; };" I prevent any ole recursive query
> (www.google.com for instance) except from my network while still allowing
> queries to the zones that I host.

No, you prevent ALL queries to be responded this way.
Read the docs, you apparently do not understand the difference between
allow-query and allow-recursion.

And, btw. bind 9.3 will send answers from cache to anyone who has
allow-query enabled. It won't do the recursion, but will answer if it's
cached. Maybe this is what made you think the above.

bind 9.4 and later has new option allow-query-cache that allows tune this
behaviour too and the default is same as allow-recursion.

(actually they cross-inherit each other, if either is not set)

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.



More information about the bind-users mailing list