DNS Security
Barry Margolin
barmar at bbnplanet.com
Tue Dec 28 19:55:27 UTC 1999
In article <199912281918.OAA18231 at advdata.net>, <wwebb at adni.net> wrote:
>On a server that acts as a master for CAP.GOV, the named.conf
>has the following as part of options,
>
> allow-recursion { 198.88.0.19; 198.88.0.39; };
> fetch-glue no;
>
>As an aside, I don't believe "allow-recursion" is discussed in the
>DNS & BIND book (3rd Edition) but I learned about it in ISC
>documentation. Beginning in what version of Bind is "allow-
>recursion" allowed?
It was added in 8.2. The book covers 8.1.2.
>At any rate, the server seems to be working well, acting
>authoritatively for its zones, (using much less memory than when it
>was recursive), however, entries such as the following show-up
>occassionally in the message log:
>
>unapproved recursive query from [192.31.106.5].53 for njwg.cap.gov
>
>What is the significance of such entries?
This may have been someone using dig or nslookup to query your server
manually. Those tools set the Recursion Desired flag when they send
queries, unless the user specifies the norecurse option. Njwg.cap.gov is a
delegated subdomain, so your server can't fulfill the query from its
authoritative data, and the allow-recursion option prevents it from
performing the recursive query as requested.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list