No subject


Tue Apr 2 00:56:56 UTC 2013


from looking up domains that this box doesn't handle the zones for.
So an acl line like "allow-recursion { our-nets; };" would only allow
IP's within our network to lookup other domains and block everyone
else from querying some domain, right?

In the BIND manual -
http://www.bind9.net/manual/bind/9.2.3/Bv9ARM.ch07.html they have the
statement

"acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
  allow-query { our-nets; };
  allow-recursion { our-nets; };
  blackhole { bogusnets; };
};
zone "example.com" {
  type master;
  file "m/example.com";
  allow-query { any; };
};
This allows recursive queries of the server from the outside unless
recursion has been previously disabled."

^^ that line is a typo right?  This disables recursive queries not
enabling them, right?

As a test I set I set BIND to only allow-queries from our-nets but
commented out allow-recursion. So something like
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
  allow-query { our-nets; };
#  allow-recursion { our-nets; };
  blackhole { bogusnets; };
};
For some reason I still see denies in our logs.  What exactly is being
denied if we are allowing recursion?  Here is a snippet from our logs
20-Jun-2007 12:16:32.246 security: client XXX.XXX.XXX.XXX#32772: query
(cache) 'NPICEF136.domaintest.com/A/IN' denied

Thanks,
Nick



More information about the bind-users mailing list