Recursive Domain Query on Restricted Recursive DNS
Nicolas Pence
npence at dedicado.com
Wed Nov 28 11:54:38 UTC 2007
>Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.
The configuration is working, if I don´t put the line "allow-query-cache"
the following happens:
> allow-query { mynet; };
Block unauthorized new-queries, but queries to records in cache
are successful.
> allow-query-cache { mynet; };
Block unauthorized new-queries to records already in my cache.
I've made some test and if an authorized user queries a domain "example.com"
the unathorized users can make queries without problems.
If this domain "example.com" is not in the cache then the unauthorized
user can't get the info.
>I think this is doable if you drop the global "allow-recursion"
>restriction (which at the global level is extraneous anyway because of the global allow-query), and then define the zones of interest as >"type stub" with "allow-query" opened up.
Ok is true, I should remove allow-recursion, is limited by allow-query & allow-query-cache
I read about stub zones and there is the need of a "already known"
(that if I understand how stub works)
zone "subdom.example.com" {
type stub;
file "slaves/"subdom.example.com.zone";
masters { ip1; ip2; };
};
so I don´t really have masters servers, but if the info is
on cache can't just query this domain locally and allow anybody to do it?
thanks
-----Mensaje original-----
De: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] En nombre de Kevin Darcy
Enviado el: Miércoles, 28 de Noviembre de 2007 01:19
Para: bind-users at isc.org
Asunto: Re: Recursive Domain Query on Restricted Recursive DNS
Nicolas Pence wrote:
> Hi, I need to know how to set up the following solution:
>
> - I have a Recursive DNS that is restricted to only wanted IP ranges,
> running Bind 9.3.2
>
> acl mynet { iprange1/mask; iprange2/mask; iprange3/mask; };
>
> options {
> allow-recursion { mynet; };
> allow-query { mynet; };
> allow-query-cache { mynet; };
> };
>
Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.
>
> - But I see some people with my NS configured doing queries to a
> domain name that I really want them to reach, so what I need is to
> enable queries "only"
> to this domain name
> "subdom.example.com" to anybody who query my server like doing:
>
> allow-query { any; };
>
> - subdom.example.com is not mine so I can't be auth for this domain
> and resolve the issue setting a master nor a slave zone.
>
>
> Is this task possible?
>
I think this is doable if you drop the global "allow-recursion"
restriction (which at the global level is extraneous anyway because of the global allow-query), and then define the zones of interest as "type stub" with "allow-query" opened up.
"Type slave" should work also, of course, but that would, in addition to the above, require zone-transfer permission/authority and is likely to incur more overhead than "type stub" (depending on a variety of factors, e.g. zone REFRESH setting, whether the remote side supports/honors IXFR, TTL of the most popularly-queried records, frequency of changes to the zone, etc.)
- Kevin
More information about the bind-users
mailing list