allow-query or something else?

Mon Jun 4 23:45:15 UTC 2001

It's generally a good idea, for security and other reasons, to separate
"recursive" from "non-recursive" nameservice. "Recursive" nameservice is what
your own clients use to resolve arbitrary names on the Internet.
"Non-recursive" nameservice just serves names from your own zones, and gives
only referrals -- which are useless to ordinary stub resolvers -- for
everything else (turn off recursion completely with "recursion no" in your
options statement). The memory-usage profiles are very different between
recursive and non-recursive nameservers, since non-recursive nameservers don't
experience cache growth or turnover.

If you don't have the wherewithal to separate these services, then, with a
mixed-use nameserver, you can limit queries in the way you desire by having a
global, i.e. options-statement, allow-query which permits only your internal
clients, and an "allow-query { any; };" for each of the zones you host. You
could also use a global "allow-recursion" to permit recursion for only your
internal clients, which is a bit simpler to configure, especially if you are
adding/changing/deleting zones all of the time, but be aware that anything you
happen to have cached will be served to a client even if you don't honor
recursion for the client. So whether you use allow-query or allow-recursion
depends a lot on whether you want to be somewhat nice to external clients
("I'll give you the answer if I happen to have it, but I'm not going to work to
get it") or just plain rude ("go away, I'm not going to answer your query at
all").

- Kevin

alexus wrote:

> i'm sorry for not being clear
>
> basically what i want to do is restrict people from using my name server,
> but when i put allow-query i don't think it serves my domains anymore,
> 'cause neither root servers and/or secondary and/or primary nameserver that
> hosting this domain won't be able to access this nameserver.
>
> grr.. it sounds so unclear again:(
>
> let me put it this way..
>
> i have my box (nameserver) which is box.nexgen.com, plus i have some other
> box let's say box2.nexgen.com .. for example they hosting example.com domain
> box.nexgen.com being as a primary and box2.nexgen.com being as a secondary
> name server, after i add allow-query on box.nexgen.com i get this denied
> error message in logs file which is supposly fine.. *BUT* my feeling is that
> after limiting query i also limiting everyone to see any changes that i do
> to that domain,
>
> in other words i want people from outside of my network (evil internet) to
> allow query only domains that i host and whoever is on my inside network
> (local network) to query whatever they want.
>
> ----- Original Message -----
> From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> To: <bind-users at isc.org>
> Sent: Monday, June 04, 2001 6:52 PM
> Subject: Re: allow-query or something else?
>
> >
> > alexus wrote:
> >
> > > Hi
> > >
> > > I'm using bind 9.x and I serve few primary/secondary zones
> > >
> > > I want to limit use of query for anyone who's outside my network to
> domains
> > > that i serve only and not for anything else.. does anyone know how to do
> it?
> > >
> > > i put allow-query but, but then i start geting messages
> > >
> > > box named[18928]: client xxx.xx.xxx.xx#26353: query 'xxx.com/IN' denied
> > >
> > > i assuming my name server is not really serving those zones anymore even
> > > though it does for people who's on the list in allow-query..
> >
> >  I'm not sure what the problem is here. You want to restrict access to
> your
> > nameserver, and the log message above indicates that you denied a query.
> Isn't
> > that what you wanted?
> >
> > Or, does all of that xxx.xx.xxx.xx garbage indicate that you denied a
> query
> > that you shouldn't have? This isn't clear from your message...
> >
> >
> > - Kevin
> >
> >
> >