bind configuration

Jim Reid jim at rfc1035.com
Mon Feb 28 09:43:39 UTC 2000 

>>>>> "Nenita" == Nenita Manaois <cyberlab at magix.com.sg> writes:

    Nenita> i have read vulnerability issues re: "allow-query" entries
    Nenita> in the bind config.

Where? And what do they say?

    Nenita> however, when i tried to use it,
    Nenita> (i.e., allow-query only to the authoritative servers for
    Nenita> my domain) and turned recursion off, my users started
    Nenita> complaining that their local web sites couldnt be resolved
    Nenita> and emails sent to them are not delivered in their
    Nenita> mailbox.

You should *never* disable recursion unless you know that the name
server will only be queried by other name servers. As a general rule
this option is used on the name servers running on the external
interface of a firewall. By disabling recursion, you prevented
everything inside your net from using the DNS because they make
recursive requests. Applications that use the resolver make recursive
requests because it's hard for them to make lots of iterative lookups
to follow NS records. And besides, that's what the name server is
supposed to do for them anyway.

As for the allow-query options, I personally don't see the need for
this. Your firewall should be blocking undesirable DNS traffic from
coming in to your net. [OTOH, it wouldn't hurt too much to have the
name server do access checking in addition to the firewall: defence in
depth and all that.] However if you feel you must apply access
controls you need to do two things.

In the options{} statement, provide an allow-query clause that defines
your local IP addresses. ie Only local users can query the name
server. This on its own is not enough because it prevents anyone from
looking up your local zones. That can be inconvenient if they want to
send you mail or browse your web server. So the second part is to add
an allow-query clause of {any; } to the zone{} statements for your
local zones. These will be used instead of the global allow-query ACL
in the options statement. The result of that is anyone is able to get
answers from your name server for the local zones but only the local
users can get answers for non-local ones.

More information about the bind-users mailing list