allow-query and views

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Feb 21 18:54:46 UTC 2013 

On 21.02.13 12:45, Robert Moskowitz wrote:
>Fact:

>No clients could access DNS from my server, both internal and 
>external (I have hotspot on my cellphone, so I can attach a client to 
>it to get external testing) UNTIL I added the allow-query option.  
>Once added things started working right.

Which BIND version do you use?
Do you use your own named.conf? Some OSes/distributions provide multiple
included files with some defaults that may deny access, for example.
Are you sure your named.conf doesn't include such file?

>All I can report is what was not working and what made it work. 
>allow-query SEEMS to be working the same way as allow-query-cache.

but they both do different things.

>>>Check my earlier posts here.  I was down here with just the 
>>>match-clients and without the allow-query; all local hosts were 
>>>getting denied access.  It was painful for a little while.

>>Probably they did not have a recursion enabled. allow-recursion defaults
>>to local networks, if not specified directly or by allow-query-cache.

>I had the recursion yes option in my internal view.  But even queries 
>of zones it was master for were coming up DENIED without the 
>allow-query option.

There's something strange about this issue. The default for allow-query is
"all" and I don't think this was different any time.
Are you sure there's no other "allow-query" directive anywhere in your
named's config files?

>>>Recursion seems to be working with just  "recursion yes" here.

>>Recursion by itself, yes. But the default for allow-recursion might not be
>>enough for you.

>>In fact, you can use "allow-recursion { all; };" and still only internal
>>clients (in internal view) would have it allowed.

>So "recursion yes" does not override "allow-recursion"?  Strange.

recursion yes/no will tell the server (not) to recurse at all. 
allow-recursion only specifies, for whom to recurse.
"recursion no" will disable recursing for all (matching) clients.
"recursion yes" will enable recursing, but only for allowed clients.

>>> What does allow-recursion add with given all the other restrictive
>>>clauses?

>>It allows specified clients to use recursion. Both allow-query-cache and
>>allow-recursion default to the other one, when only one is specified.
>>However, allow-recursion gives a better idea of what is really allowed.

>Then what is the basic recursion option for now?  Is it just a 
>hold-over from more trusting days?

it's kind of general switch to allow/deny recursion.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

More information about the bind-users mailing list