9.3.2 recursive only for local host
Kevin Darcy
kcd at daimlerchrysler.com
Thu Nov 16 03:39:31 UTC 2006
James Lockie wrote:
> I am running bind 9.3.2 on a static IP that changes.
> I would like restrict bind to be recursive only for localhost.
>
> The problem is that if I put servers in the /etc/resolv.conf, it uses
> those DNS servers to resolv my domain and it may cache old information.
> When the IP changes, I update named on the localhost and use nslookup
> mydomain to test the changes.
> I don't want to wait for other servers to clear their cache so I can
> test it.
>
allow-recursion { localhost; };
Note, however, that if you allow *any* recursion, you will cache results
that can then, in the absence of any additional safeguards, be retrieved
by any client. This information disclosure can, to the paranoid, even be
considered a way for potential evildoers to "profile" you by seeing what
sites your web users are visiting, etc.
If you really want to keep things nailed down, you should probably use
allow-query and/or allow-query-cache (the latter is new as of BIND 9.4)
in addition to allow-recursion, in order to more accurately control who
can resolve from you and who can't.
- Kevin
More information about the bind-users
mailing list