allow-query and views

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Feb 21 17:10:55 UTC 2013


>>On 21.02.13 08:59, Robert Moskowitz wrote:
>>>I am reading: https://www.isc.org/software/bind/faq and 'What has 
>>>changed in the behavior of "allow-recursion" and 
>>>"allow-query-cache" '.
>>>
>>>
>>>I am struggling here trying to match up the various access 
>>>control features, particularly when we are suppose to have 
>>>different views for different clients.
>>>
>>>So for my internal view where I:
>>>
>>>   match-clients        { httnets; };
>>>   match-destinations    { httnets; };
>>>   recursion yes;
>>>   allow-query        { httnets; };

>On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote:
>>allow-query is useless here, unless you have disabled it somewhere.
>>the match-clients does enough.

On 21.02.13 11:08, Robert Moskowitz wrote:
>No. allow-query made my internal view available to my local clients.  

allow-query defaults to all. match-clients directs your internal clients to
the internal view and unless you have disabled querying elsewhere, allowing
it is not important.

>Check my earlier posts here.  I was down here with just the 
>match-clients and without the allow-query; all local hosts were 
>getting denied access.  It was painful for a little while.

Probably they did not have a recursion enabled. allow-recursion defaults to
local networks, if not specified directly or by allow-query-cache.

>>>Do I also add
>>>
>>>   allow-query-cache        { httnets; };
>>>???
>>
>>you apparently want to turn on recursion for your clients, which 
>>means, you
>>should use "allow-recursion" and let allow-query-cache be teh same by
>>default.
>
>Recursion seems to be working with just  "recursion yes" here.

Recursion by itself, yes. But the default for allow-recursion might not be
enough for you.
In fact, you can use "allow-recursion { all; };" and still only internal
clients (in internal view) would have it allowed.

>  What does allow-recursion add with given all the other restrictive
>clauses?

It allows specified clients to use recursion. Both allow-query-cache and
allow-recursion default to the other one, when only one is specified.
However, allow-recursion gives a better idea of what is really allowed.

>>>And for the external view where:
>>>
>>>   match-clients        { any; };
>>>   match-destinations    { any; };
>>>   allow-query        { any; };
>>>   recursion no;
>>>
>>>Do I add:
>>>
>>>   allow-query-cache        { localhost; };

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease



More information about the bind-users mailing list