allow-query and views
Robert Moskowitz
rgm at htt-consult.com
Thu Feb 21 17:45:12 UTC 2013
On 02/21/2013 12:10 PM, Matus UHLAR - fantomas wrote:
>>> On 21.02.13 08:59, Robert Moskowitz wrote:
>>>> I am reading: https://www.isc.org/software/bind/faq and 'What has
>>>> changed in the behavior of "allow-recursion" and
>>>> "allow-query-cache" '.
>>>>
>>>>
>>>> I am struggling here trying to match up the various access control
>>>> features, particularly when we are suppose to have different views
>>>> for different clients.
>>>>
>>>> So for my internal view where I:
>>>>
>>>> match-clients { httnets; };
>>>> match-destinations { httnets; };
>>>> recursion yes;
>>>> allow-query { httnets; };
>
>> On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote:
>>> allow-query is useless here, unless you have disabled it somewhere.
>>> the match-clients does enough.
>
> On 21.02.13 11:08, Robert Moskowitz wrote:
>> No. allow-query made my internal view available to my local clients.
>
> allow-query defaults to all. match-clients directs your internal
> clients to
> the internal view and unless you have disabled querying elsewhere,
> allowing
> it is not important.
Fact:
No clients could access DNS from my server, both internal and external
(I have hotspot on my cellphone, so I can attach a client to it to get
external testing) UNTIL I added the allow-query option. Once added
things started working right.
All I can report is what was not working and what made it work.
allow-query SEEMS to be working the same way as allow-query-cache.
>
>> Check my earlier posts here. I was down here with just the
>> match-clients and without the allow-query; all local hosts were
>> getting denied access. It was painful for a little while.
>
> Probably they did not have a recursion enabled. allow-recursion
> defaults to
> local networks, if not specified directly or by allow-query-cache.
I had the recursion yes option in my internal view. But even queries of
zones it was master for were coming up DENIED without the allow-query
option.
>
>>>> Do I also add
>>>>
>>>> allow-query-cache { httnets; };
>>>> ???
>>>
>>> you apparently want to turn on recursion for your clients, which
>>> means, you
>>> should use "allow-recursion" and let allow-query-cache be teh same by
>>> default.
>>
>> Recursion seems to be working with just "recursion yes" here.
>
> Recursion by itself, yes. But the default for allow-recursion might
> not be
> enough for you.
> In fact, you can use "allow-recursion { all; };" and still only internal
> clients (in internal view) would have it allowed.
So "recursion yes" does not override "allow-recursion"? Strange.
>
>> What does allow-recursion add with given all the other restrictive
>> clauses?
>
> It allows specified clients to use recursion. Both allow-query-cache and
> allow-recursion default to the other one, when only one is specified.
> However, allow-recursion gives a better idea of what is really allowed.
Then what is the basic recursion option for now? Is it just a hold-over
from more trusting days?
>
>>>> And for the external view where:
>>>>
>>>> match-clients { any; };
>>>> match-destinations { any; };
>>>> allow-query { any; };
>>>> recursion no;
>>>>
>>>> Do I add:
>>>>
>>>> allow-query-cache { localhost; };
>
thanks
More information about the bind-users
mailing list