allow-query does not seem to restrict access to version.bind in 9.2.1

Mon Jun 24 00:54:45 UTC 2002

>>>>> "Jesper" == Jesper Dybdal <jdunet at u7.dybdal.dk> writes:

    Jesper> If I wanted specifically to hide the version number, which
    Jesper> I don't, then allow-query would be my preferred way of
    Jesper> doing it, since it would allow myself to easily check that
    Jesper> I'm running the version I expect.

It still doesn't stop others finding out what version of BIND you're
running. Unless of course you prevent any remote access to your name
server: including handing out answers for the zones it serves. But
that would be somewhat pointless.

    Jesper> I know that perfectly well.  But is that a reason for the
    Jesper> allow-query clause to not work in the expected way?

Who knows? Since you didn't provide the relevant parts of the actual
config file that your name server is using, who can tell? In
particular the ACL you showed -- which could be the core of your
problem -- is not the one that your name server is actually applying.
"Dear mailing list, I think I have a problem with an ACL but I'm not
going to show it to you. Here's what it might look like. Please tell
me what could be wrong with it."

    Jesper> Can I trust it to work for all other domains, or are there
    Jesper> other surprises?

See above. However if there was a generic problem with ACLs in BIND9,
I'm sure it would have been found before now.

    Jesper> More details from my named.conf, only slightly anonymized

    >>  This is pointless and a waste of everyone's time. Concealing
    >> the contents of your config file makes it difficult, sometimes
    >> impossible, for anyone to see what's wrong.

    Jesper> I have concealed the IP addresses of the place I work
    Jesper> because they are obviously irrelevant and I don't want to
    Jesper> publish other people's IP addresses for no particular
    Jesper> reason.

They may be obviously irrelevant to you. That doesn't mean they are.
Perhaps there's a syntax or semantic error in the actual file that
your censorship has obscured? Maybe your editing has corrected those
flaws? Who cares?

    >> Unless you show *exactly* what your name server sees, how is
    >> anyone expected to debug the config file for you?

    Jesper> I am not expecting anybody to debug my config file; there
    Jesper> is nothing wrong with my config file. 

That's your opinion. But since you've not provided the actual file
your name server is using, we can only take your word for that. It's
not uncommon for posters to overlook things: they often can't see the
wood for the trees. That's why it generally helps if independent eyes
can check the actual config or zone files. Or whatever.

    Jesper> Are you seriously trying to tell me that the reason
    Jesper> allow-query does not work for version.bind can possibly
    Jesper> have anything to do with the exact IP addresses that I do
    Jesper> allow to query?

No. I'm telling you it might have something to do with the stuff
that's in your named.conf file but you chose to conceal. But since we
don't have that config file, nobody knows for sure.

Rather than more waste time, here's what I suggest you do. Post
*exactly* what's in your named.conf and clearly describe the
problems/symptoms. If the file is big, put it on a web site and post
the URL. Continuing this dialogue is futile if the people on this list
can't see what your name server sees.