allow-recursion & allow-query

[Kevin Darcy]

joe wrote:

> Hi,
>
>  I've defined my ACL as in named.conf as :
>
> acl dmz { 192.168.5.0/24; };
>
> then in my named.conf I have :
>
> options {
>         ...
>         ...
>         allow-query { dmz; };
>         allow-recursion { dmz; };
>         ...
>         ...
>         };
>
> By using the above ACL I am limiting clients on my DMZ
> segment to perform queries and use recursion. I have a
> NAT setup on my firewall for my DNS's. I want to follow
> good practice and not allow outside clients to use my
> DNS's to perform recursive lookups. My concern is with
> the "allow-query" ACL I've setup. Am I disallowing outside
> clients the ability to do authoratative lookups for my zones?
> I should only be disallowing recursive lookups with the above
> config, correct?
>
> I found that when I tried an nslookup from the DMZ segment
> all worked fine. I then used an external DNS server, set it to
> my server and performed a lookup, I got back "query refused"
> which I would expect. My feeling is that if I'm denying queries,
> how are people going to find me on the Net. I then tested by
> removing the "allow-query" ACL and  got back a list of the
> root servers upon a non-authoratative query using an external
> DNS set to use mine for the lookup. Is this because I disallowed
> the recursion, I'm assuming so.

You should restrict queries and recursion globally, and then open up
queries for each zone that you want to be available publically.


- Kevin