denying external cache lookups.
Barry Margolin
barmar at alum.mit.edu
Fri Dec 16 00:23:50 UTC 2005
In article <dnsch0$1h2u$1 at sf1.isc.org>,
Allen Wooden <awooden at harboreast.net> wrote:
> I guess my question is two-fold.
> 1. If I change the options to be:
> options {
> allow-recursion { localhost; internal; ex_recurse;};
> allow-query { localhost; internal; ex_recurse; };
> ...
> };
>
> and in each zone statement add:
> allow-query { any; };
>
> Is there a good chance I'm going to break something? Will this do what I
> think it will do
> which is deny all queries from outside except for authoritative data, while
> still allowing
> my internal nameservers and customers to do recursion and query the cache?
> Would the allow-query { any; }; at the zone level superceed the global
> config? I am thinking
> it would.
You're doing it exactly right. You shouldn't have any problems.
> What should I expect the response to a foreign resolver after I make this
> change? refused or a referral?
> I would think it would return refused because I told it not to answer except
> for authoritative data or allowed
> subnets.
Correct. The only exception might be if they ask about a delegated
subdomain of one of your authoritative zones -- in that case I think
you'll return the delegation.
> 2. Should I even worry about this?
If you're getting lots of unauthorized queries, and it's causing
excessive load on your server, it's certainly a good idea.
It's also possible that someone could make use of recursive queries to
cause your cache to be poisoned, which would then impact your authorized
users.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list