allow-query and views
Robert Moskowitz
rgm at htt-consult.com
Thu Feb 21 16:08:02 UTC 2013
On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote:
> On 21.02.13 08:59, Robert Moskowitz wrote:
>> I am reading: https://www.isc.org/software/bind/faq and 'What has
>> changed in the behavior of "allow-recursion" and "allow-query-cache" '.
>>
>>
>> I am struggling here trying to match up the various access control
>> features, particularly when we are suppose to have different views
>> for different clients.
>>
>> So for my internal view where I:
>>
>> match-clients { httnets; };
>> match-destinations { httnets; };
>> recursion yes;
>> allow-query { httnets; };
>
> allow-query is useless here, unless you have disabled it somewhere.
> the match-clients does enough.
No. allow-query made my internal view available to my local clients.
Check my earlier posts here. I was down here with just the
match-clients and without the allow-query; all local hosts were getting
denied access. It was painful for a little while.
>
>> Do I also add
>>
>> allow-query-cache { httnets; };
>> ???
>
> you apparently want to turn on recursion for your clients, which
> means, you
> should use "allow-recursion" and let allow-query-cache be teh same by
> default.
Recursion seems to be working with just "recursion yes" here. What
does allow-recursion add with given all the other restrictive clauses?
>
>> And for the external view where:
>>
>> match-clients { any; };
>> match-destinations { any; };
>> allow-query { any; };
>> recursion no;
>>
>> Do I add:
>>
>> allow-query-cache { localhost; };
>
>> ??? Supposedly localhost will fall into the internal view (along
>> with httnet)
>
> and does localhost belong to the httnets ACL?
Yes. both 127.0.0.1 and ::1 are listed.
>
>> , so nothing should be querying cache?
>
> correct, no external hosts should query your cache.
>
OK.
More information about the bind-users
mailing list