ACL lists
Cricket Liu
cricket at menandmice.com
Tue Oct 22 01:00:47 UTC 2002
Derek Caines wrote:
> I'm planning on configuring (via an ACL list) the external DNS servers
> to default to allowing only internal recursion from 3 internal DNS
> servers.
> All other internal resolvers/servers query the above 3 internal
> servers which in turn query the perimiter DNS servers only for
> internet/external lookups.
>
> Q: When checking the source of the query for allowing/disallowing
> recursion, do the external servers use the IP of the original client
> or that of the server that is passing the query along.
> Or stated differently do I have to include all internal networks on in
> my ACL list or will the IP's of the 3 internal servers passing along
> the request be adequate ?
Just the three internal name servers. The DNS message that the
external name servers receive doesn't contain the address of the
original querier, so it has no idea who that was.
cricket
Men & Mice
DNS Software, Training and Consulting
www.menandmice.com
The DNS and BIND Cookbook, available now!
http://www.oreilly.com/catalog/dnsbindckbk/
More information about the bind-users
mailing list