Disabling recursion causes browser hangs on clients with auto proxy config

[Matus UHLAR - fantomas]

On 25.01.10 17:14, Frank Stanek wrote:
> we want to set up a DNS server (bind-9.4.3-P3) for the internal LAN only.
> However for security reasons we need to only allow a few trusted systems
> to resolve external host names (ie names we are not authoritative for):
> * Trusted systems can resolve names from our zones _and_ external names
> * All other systems can only resolve names from our zones

> However when we use a pac file or automatic proxy detection, the browsers
> continually try to resolve the URL, receive "refused (recursion not available)",

the browser apparently needs to resolve the IP before itdesides whether to
use proxy or not. It may be a problem of the .pac file.

> Is there something fundamentally flawed with this configuration, ie is there
> a better way to do this? We have tried using views but essentially we only
> put recursion no; in one view and recursion yes; in the other which comes
> down to the same thing. I have also inquired on the Firefox mailing list
> about why the browsers behave this way (try to resolve forever when they
> shouldn't need to) but have not received a reply yet.

check the .pac content. If you use IP's in it, they are probably going to
get resolved from given hostname.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease