Diagnostic help
Bill Christensen
billc_lists at greenbuilder.com
Tue Sep 30 03:37:16 UTC 2014
So if my server is authoritative for MyDomain.com, should Joe Sixpak be
able to resolve it via whatever DNS he's using, as mine is currently set up?
Do I need to change it to
|allow-query { any; };|
in order to allow that to happen? Will my restriction on recursion keep
the riffraff to a minimum?
Thanks.
On 9/29/14, 7:58 PM, Ben Croswell wrote:
>
> The default for allow query is local host local nets. Basically the
> server itself and directly connected networks
>
> On Sep 29, 2014 8:03 PM, "Bill Christensen"
> <billc_lists at greenbuilder.com <mailto:billc_lists at greenbuilder.com>>
> wrote:
>
> Hi folks,
>
> Something got sideways on one of my DNS servers, and I would
> appreciate some help in figuring out what's going on.
>
> I'm running BIND 9.10.1. This server is authoritative master for
> a number of domains.
>
> First off, I may have the allow-query set incorrectly. Currently I
> have:
>
> acl query-permit {
> (range of IP address on the local LAN which are allowed to use
> this server as their query server)
> };
>
> acl recursive-permit {
> (range of IP address on the local LAN which are allowed to use
> this server for recursive queries)
> };
>
> acl transfer-permit {
> (IP addresses of a couple other name servers allowed to do
> transfers with this one)
> };
>
> and at the beginning of the options section:
>
> allow-recursion { recursive-permit; };
> allow-transfer { transfer-permit; };
> // allow-query { query-permit; };
>
> Allow-query is commented out, which I assume will allow anyone to
> query this server for the domains for which it has master or slave
> records, but does not allow the general public to do recursive
> queries or queries on domains not hosted here.
>
> Let me know if I've got that right, or how to correct it if I don't.
>
> If this part is correct I'll continue the questioning.
>
> Thanks!
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140929/3ee98303/attachment-0001.html>
More information about the bind-users
mailing list