(no subject)
USENET News System
news at beaver.cs.washington.edu
Wed Aug 4 02:39:24 UTC 1999
Newsgroups: comp.protocols.dns.bind
Path: not-for-mail
From: Jeremy Buhler <jbuhler at cs.washington.edu>
Subject: Can I export access to just one domain?
User-Agent: tin/pre-1.4-19990624 ("Dawnrazor") (UNIX) (Linux/2.2.9 (i686))
Organization: Computer Science & Engineering, U of Washington, Seattle
Message-ID: <FFx61K.FpB at beaver.cs.washington.edu>
X-Nntp-Posting-Host: tako.cs.washington.edu
Date: Wed, 4 Aug 1999 02:39:19 GMT
A friend of mine has asked me to act as secondary name server for his
domain. Previously, I was running a caching-only name server for my
machine and only listening for requests on the domain port for
127.0.0.1. I'm happy to serve requests for records in my friend's
domain to the world in general, but I still don't see a need to serve
arbitrary requests from anyone but myself.
At the moment, I've configured my named.conf as follows (this is for
bind 8.2.1):
options {
...
allow-query { 127.0.0.1; };
...
};
zone "myfriendsdomain.com." in {
type slave;
...
allow-query { any; };
...
};
This configuration seems to do exactly what I want, but the bind
documentation strongly recommends against it -- it says that specific
zones should always be more restrictive, never less restrictive, than
the default. However, I don't understand the justification for this
recommendation.
What are the disadvantages of my present configuration? Do I need to
allow arbitrary queries to my server to be a "good DNS citizen"?
--
## Jeremy Buhler * peace through superior algorithms * U. Washington ##
More information about the bind-users
mailing list