DNS Security
Joseph S D Yao
jsdy at cospo.osis.gov
Mon Dec 27 22:51:17 UTC 1999
On Mon, Dec 27, 1999 at 10:39:17AM -0500, wwebb at adni.net wrote:
...
> options {
...
> allow-querry {internal; };
> };
>
> zone "acmebw.com" {
...
> allow-transfer {207.69.231.3; 209.86.147.1; };
> allow-query { any; };
> };
>
> Irrespective of an option to allow queries only from the internal IP
> addresses, if a specific zone is set, such as acmebw.com as
> above, isn't the default to allow queries to that specific zone ? If
> so, then what is the purpose of the "allow-query { any; } entry
> above?
>
> Thanks, Bill Webb
To put it more clearly, the answer to your first question is in fact
"no".
The default query permissions for a zone are: the explicit or default
query permissions for the entire config file.
The default query permissions for the entire config file are: to allow
queries.
Why is this distinction important? Because it answers your second
question. You add the "allow-query { any; };" statement precisely to
allow queries to that zone. The default for all zones in this file has
been changed to "allow-query { internal; };".
The basic concept behind this is to increase security by initially
DISALLOWING anything, and then ALLOWING only what you explicitly intend.
The opposite, which is the DNS default, is to initially ALLOW
everything, and then DISALLOW only what you intend. But this may let
some things you DIDN'T think of through, by mistake.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list