Use allow-query on primary servers?
Jim Reid
jim at rfc1035.com
Tue Dec 21 19:00:25 UTC 1999
>>>>> "Martin" == Martin Horneffer <Horneffer at rrz.Uni-Koeln.DE> writes:
Martin> Is it advisable to use allow-query to limit queries to
Martin> one's primary zones, as in CIAC J-063.
Not really, though explicitly blocking systems that are being nasty
would be reasonable. If you try to define a set of trusted hosts that
are allowed to query your name servers, you probably lose. How are you
going to predict which hosts and users on the internet will lookup
your domain(s) and the IP addresses of the name servers or resolvers
they will use? This is only do-able when the name servers live behind
a firewall and there's tight control over the nets that get routed
over the internal network.
Martin> I.e. something like:
acl "trusted" {
...
};
options {
...
allow-query {
trusted;
};
};
zone "example.com" {
type master;
file "example.com";
allow-query {
any;
};
};
Martin> If doing this, clients that are not in "trusted" appear to
Martin> get strange errors when resolving non-existing names
Martin> within "example.com".
What are those errors? What names are they looking up? And what's the
REAL domain name?
The sample config file you gave above might not work the way you
expect. When a lookup is for a name in example.com, the ACL for
example.com is checked rather than your global ACL "trusted". So this
means anybody should be able to lookup names in this domain. ie There
are no untrusted clients for the example.com domain. Mind you, there
could be fun if there's a zone cut under example.com and your name
server is authoritative for that zone and there's no ACL on its zone{}
statement.
BTW, the BIND documentation advises against using a zone-specific ACL
that is less restrictive than a global ACL. From doc/html/zone.html:
<DT><CODE>allow-query</CODE>
<DD>
....
Note that this should in general be <I>more restrictive</I>
than the similar global option of the same name; otherwise,
confusing and nonworthwhile delegations will be returned.
More information about the bind-users
mailing list