open recursion/cache problem
Jeffrey Williams
jeff at sailorfej.net
Thu Aug 24 19:15:25 UTC 2006
I am running bind 9.3.2 on FreeBSD 6.1
I want to limit recursive queries to my systems on my own subnet,
following is my named.conf:
acl bogusnets {
0.0.0.0/8; 10.0.0.0/8; 192.168.0.0/16;
172.16.0.0/12; 169.254.0.0/16;
192.0.2.0/24; 224.0.0.0/4; 240.0.0.0/4;
};
acl mynets { x.x.x.0/24; };
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "not really";
allow-recursion { mynets; };
blackhole { bogusnets; };
forwarders {
my.isp.ns1.34;
my.isp.ns2.14;
};
};
I have tested recursive query status with dnsreport and the following tool:
http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
both indicate I am running a non-recursive DNS for domains I am not
authoritative for.
But when I do a dig from a client not on my allowed subnet I am getting
answers for domains I nameserver is not authoritative for, see below:
me at myhomecomp:~> dig @my.ns1.com www.microsoft.com
; <<>> DiG 9.3.0 <<>> @my.ns1.com www.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
61728
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY:
0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.microsoft.com. IN A
;; ANSWER SECTION:
www.microsoft.com. 352 IN CNAME
toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 52 IN CNAME
g.www.ms.akadns.net.
g.www.ms.akadns.net. 52 IN CNAME
lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 52 IN A
207.46.225.60
lb1.www.ms.akadns.net. 52 IN A
207.46.20.30
lb1.www.ms.akadns.net. 52 IN A
207.46.20.60
lb1.www.ms.akadns.net. 52 IN A
207.46.19.30
lb1.www.ms.akadns.net. 52 IN A
207.46.199.60
lb1.www.ms.akadns.net. 52 IN A
207.46.198.30
lb1.www.ms.akadns.net. 52 IN A
207.46.19.60
lb1.www.ms.akadns.net. 52 IN A
207.46.199.30
;; Query time: 12 msec
;; SERVER: x.x.x.20#53(my.ns1.com)
;; WHEN: Thu Aug 24 11:20:08 2006
;; MSG SIZE rcvd: 235
me at myhomecomp:~>
Now I did see the a forum thread that said that the allow-recursion
{acl} option will not stop the nameserver from answering queries for
entries already cached, short of turning off caching, is their any other
way to restrict external queries for domains I not authoritative for?
even if they are cached?
Thanks
Jeff
More information about the bind-users
mailing list