allow-recursion & allow-query

Kevin Chan kevinchan at trasy.com
Fri Nov 22 08:28:25 UTC 2002 

Hi Kevin and all,

I got the same problem as joe.  Also, I even can't nslookup within the same
network with DNS Server.  When I using command "ls -d kevn.com" from Windows
NT machine, it show an error message " Can't list domain kevin.com: Query
refused."  So that I am afraid that the other outside DNS server can't get
my DNS record.  My named.conf setting as below:

acl can_xfer {
        localhost;
        XXX.XXX.XXX.58;
        };

acl bogon {
      0.0.0.0/8;
      1.0.0.0/8;
      2.0.0.0/8;
      224.0.0.0/3;
      10.0.0.0/8;
      172.16.0.0/12;
      };

options {
        directory "/var/named";
        allow-query { any; };
        allow-transfer { can_xfer; };
        notify yes;
        blackhole { bogon; };

Can you tell me what I should add/delete in my named.conf to solve this
problem ?

Thanks and regards,
Kevin

> Kevin Darcy wrote:
>
>
> joe wrote:
>
> > Hi,
> >
> >  I've defined my ACL as in named.conf as :
> >
> > acl dmz { 192.168.5.0/24; };
> >
> > then in my named.conf I have :
> >
> > options {
> >         ...
> >         ...
> >         allow-query { dmz; };
> >         allow-recursion { dmz; };
> >         ...
> >         ...
> >         };
> >
> > By using the above ACL I am limiting clients on my DMZ
> > segment to perform queries and use recursion. I have a
> > NAT setup on my firewall for my DNS's. I want to follow
> > good practice and not allow outside clients to use my
> > DNS's to perform recursive lookups. My concern is with
> > the "allow-query" ACL I've setup. Am I disallowing outside
> > clients the ability to do authoratative lookups for my zones?
> > I should only be disallowing recursive lookups with the above
> > config, correct?
> >
> > I found that when I tried an nslookup from the DMZ segment
> > all worked fine. I then used an external DNS server, set it to
> > my server and performed a lookup, I got back "query refused"
> > which I would expect. My feeling is that if I'm denying queries,
> > how are people going to find me on the Net. I then tested by
> > removing the "allow-query" ACL and  got back a list of the
> > root servers upon a non-authoratative query using an external
> > DNS set to use mine for the lookup. Is this because I disallowed
> > the recursion, I'm assuming so.
>
> You should restrict queries and recursion globally, and then open up
> queries for each zone that you want to be available publically.
>
>
> - Kevin

More information about the bind-users mailing list