high volume from outside our networks question
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Wed Jan 30 22:23:53 UTC 2013
I think this is one of those reasons why mixing caching/recursion with authoritative is bad.
I think the option needed is 'additional-from-cache no;', but its only effective if 'recursion no' is done in global options ... or in a view?
Hmm, wonder if view is the answer....perhaps try something like:
view "trusted" {
match-clients { trusted; };
recursion yes;
allow-recursion { trusted; };
#allow-query-cache is then defaulted to same match as allow-recursion
....
}
view "untrusted" {
match-clients { any; }
recursion no;
additional-from-cache no;
....
}
----- Original Message -----
> acl "trusted" {
> xxx.xxx.xxx.0/20;
> xxx.xxx.xxx.0/23;
> xxx.xxx.xxx.0/22;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> x.xx.xxx.0/21;
> x.xx.xx.0/24;
> xxx.xxx.xxx.0/24;
> localhost;
> localnets;
> };
> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-recursion { "trusted"; };
> allow-query { any; };
> allow-query-cache { "trusted"; };
> Its standard conf with the default stuff in it as well as a 24 zones
> or so in it.
> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr < sjcarr at gmail.com >
> wrote:
> > So the response you received wasn't recursed ";; WARNING: recursion
>
> > requested but not available", so at least that ACL is holding up,
> > but
>
> > it could be that the response you got is still being served from
> > your
>
> > DNS server's cache. Can you share the exact configuration
> > statements
>
> > you have implemented for allow-recursion and allow-query-cache and
> > are
>
> > these options in the view stanza or in the global options?
>
> > Best practice is that authoritative and recursive DNS servers
> > should
>
> > be completely separate.
>
> > Steve
>
> --
> Richard Carroll
> richcarroll at gmail.com
> 785-288-1144
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130130/9d85971d/attachment.html>
More information about the bind-users
mailing list