Diagnostic help

Bill Christensen billc_lists at greenbuilder.com
Tue Sep 30 03:37:16 UTC 2014 


So if my server is authoritative for MyDomain.com, should Joe Sixpak be 
able to resolve it via whatever DNS he's using, as mine is currently set up?

Do I need to change it to

|allow-query     { any; };|

in order to allow that to happen?  Will my restriction on recursion keep 
the riffraff to a minimum?

Thanks.

On 9/29/14, 7:58 PM, Ben Croswell wrote:
>
> The default for allow query is local host local nets.  Basically the 
> server itself and directly connected networks
>
> On Sep 29, 2014 8:03 PM, "Bill Christensen" 
> <billc_lists at greenbuilder.com <mailto:billc_lists at greenbuilder.com>> 
> wrote:
>
>     Hi folks,
>
>     Something got sideways on one of my DNS servers, and I would
>     appreciate some help in figuring out what's going on.
>
>     I'm running BIND 9.10.1.  This server is authoritative master for
>     a number of domains.
>
>     First off, I may have the allow-query set incorrectly. Currently I
>     have:
>
>     acl query-permit {
>         (range of IP address on the local LAN which are allowed to use
>     this server as their query server)
>         };
>
>     acl recursive-permit {
>         (range of IP address on the local LAN which are allowed to use
>     this server for recursive queries)
>         };
>
>     acl transfer-permit {
>         (IP addresses of a couple other name servers allowed to do
>     transfers with this one)
>         };
>
>     and at the beginning of the options  section:
>
>             allow-recursion { recursive-permit; };
>              allow-transfer { transfer-permit; };
>     //     allow-query { query-permit; };
>
>     Allow-query is commented out, which I assume will allow anyone to
>     query this server for the domains for which it has master or slave
>     records, but does not allow the general public to do recursive
>     queries or queries on domains not hosted here.
>
>     Let me know if I've got that right, or how to correct it if I don't.
>
>     If this part is correct I'll continue the questioning.
>
>     Thanks!
>
>
>
>
>     _______________________________________________
>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
>
>     bind-users mailing list
>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/bind-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140929/3ee98303/attachment-0001.html>

More information about the bind-users mailing list