CNAMEs pointing to outside domains
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 18 01:14:26 UTC 2002
Vincent Aniello wrote:
> I am running Bind 9.2.1 and attempting to limit the hosts that can query my
> DNS server with the allow-query and allow-recursion options in named.conf.
> When I restrict these options to a list of trusted networks, from a host
> outside the list of trusted networks I am unable to lookup CNAMEs that refer
> to hosts that are part of domains not local to my DNS server.
>
> For example, for the record:
>
> www.localdomain.com IN CNAME www.outsidedomain.com.
>
> Lookups on www.localdomain.com fail with a 'Query denied' error when queried
> via nslookup from a host outside of the list of trusted networks for my DNS
> server.
>
> When I set allow-query to 'any' and restrict recursion to a list of trusted
> networks with the allow-recursion option a nslookup of www.localdomain.com
> from a host outside the list of trusted networks returns the list of root
> DNS servers.
>
> Is it possible to configure Bind 9.2.1 to allow queries CNAMEs that refer to
> non-local domains and still restrict queries and recursive queries for other
> domains and records?
I'm not aware of any such configuration option.
But, why is it necessary? Your nameserver has done the job of translating the
alias into a canonical name; any fully-functional resolver should then be able
to translate that canonical name into an A record or whatever. Somewhat
inefficient, yes, but it should still work. Isn't it?
- Kevin
More information about the bind-users
mailing list