recursion and propogation
Glenn Vidad
gvidad at myersinternet.com
Wed Nov 13 18:13:03 UTC 2002
perfect... thank you...
and by doing that, the latest bind vulnerability will only be exposed
internally? which is still a risk, but can be monitored....
-----Original Message-----
From: Cricket Liu [mailto:cricket at menandmice.com]
Sent: Wednesday, November 13, 2002 10:02 AM
To: bind-users at isc.org
Subject: Re: recursion and propogation
Glenn Vidad wrote:
> from a 40,000 foot view, does recursion directly affect propogation?
>
> we're a small ASP, and although we don't provide dns resolution to our
> clients
> we only host their domain names (did that make sense?)... we do,
> however, provide dns resolution internally. i was thinking about
> going the way of the
> workaround by adding...
>
> options { directory "/etc/named";
> recursion no;
> allow-recursion { 192.168.0.0/24; 10.1.1.0/24; };
> };
>
> to our named.conf file. will this do the following.
> allow internal users to use our nameservers for name resolution?
> block internet users from using our nameservers for name resolution?
> still allow zone transfers and propagation once a zone file is
> modified?
No, it'll turn recursion off entirely. You can't use both "recursion no"
and "allow-recursion." They're mutually incompatible (unless you're
using "allow-recursion { none; };" I guess, in which case they're
redundant).
If you want your name server to allow your internal users' recursive
queries but not recursive queries from the Internet, just use
allow-recursion. It'll have no effect on zone transfers.
cricket
Men & Mice
DNS Software, Training and Consulting
www.menandmice.com
The DNS and BIND Cookbook, available now!
http://www.oreilly.com/catalog/dnsbindckbk/
More information about the bind-users
mailing list