controlling recursion
Jon Leeman
jleeman at cenpac.net.nr
Fri Nov 18 00:37:34 UTC 2005
Kevin (with apologies for the direct reply instead of to the list before),
No I am not / wasn't sure......the test was done by a friend who did;
dig mx hotmail.com @203.98.224.66 /225.9 /225.10
and 66 returned
; <<>> DiG 9.2.4 <<>> mx hotmail.com @203.98.224.66
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56644
;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 17
;; ANSWER SECTION:
hotmail.com. 1151 IN MX 5 mx2.hotmail.com.
<snip>
;; AUTHORITY SECTION:
hotmail.com. 115430 IN NS ns1.msft.net.
<snip>
;; ADDITIONAL SECTION:
mx1.hotmail.com. 1151 IN A 64.4.50.99
<snip>
while 9 and 10 returned the same except the additional section.
I'll do some reading on allow-query given your comment re the cache.
Thanks,
Jon
Kevin Darcy wrote:
> Are you *sure* it's allowing recursion? The RA (Recursion Available)
flag is 0 on the query I made to that server. Be aware that even with
recursion disallowed, Internet clients might still be able to fetch
answers that are in your cache, since recursion is not necessary to
resolve those (I was able to get some cached records for msn.com, for
instance). This can be prevented either via allow-query or by going to
views.
>
>
- Kevin
>
> Jon Leeman wrote:
>
>
>> I have three name severs;
>>
>> 203.98.224.66
>> BIND 9.2.1 [MASTER]
>> Linux Mandrake 8.0
>>
>> 203.98.225.9
>> BIND 9.3.1 [Slave]
>> NT 4.0 SP6a
>>
>> 203.98.225.10
>> BIND 9.3.0 [Slave]
>> Linux Mandrake 10.0
>>
>> with;
>>
>> allow-recursion {
>> 203.98.224.0/23;
>> localhost;
>> };
>>
>> inside their respective 'named.conf'. They are standard
configurations with no views etc..
>>
>> My problem is the master is allowing recursion from outside our
networks stipulated but the slaves are not.
>>
>> I am currently not in a position to upgrade the Master's BIND
version to the latest.
>>
>> I'd appreciate any pointers as to what I am doing incorrectly - to
stop unwanted recursion - and will supply the full details /
configurations off list if needed.
>>
>> Thanks,
>>
>> Jon
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
Kevin Darcy wrote:
> Are you *sure* it's allowing recursion? The RA (Recursion Available)
> flag is 0 on the query I made to that server. Be aware that even with
> recursion disallowed, Internet clients might still be able to fetch
> answers that are in your cache, since recursion is not necessary to
> resolve those (I was able to get some cached records for msn.com, for
> instance). This can be prevented either via allow-query or by going to
> views.
>
>
> - Kevin
>
> Jon Leeman wrote:
>
>
>>I have three name severs;
>>
>>203.98.224.66
>>BIND 9.2.1 [MASTER]
>>Linux Mandrake 8.0
>>
>>203.98.225.9
>>BIND 9.3.1 [Slave]
>>NT 4.0 SP6a
>>
>>203.98.225.10
>>BIND 9.3.0 [Slave]
>>Linux Mandrake 10.0
>>
>>with;
>>
>>allow-recursion {
>> 203.98.224.0/23;
>> localhost;
>> };
>>
>>inside their respective 'named.conf'. They are standard configurations
>> with no views etc..
>>
>>My problem is the master is allowing recursion from outside our networks
>>stipulated but the slaves are not.
>>
>>I am currently not in a position to upgrade the Master's BIND version to
>>the latest.
>>
>>I'd appreciate any pointers as to what I am doing incorrectly - to stop
>>unwanted recursion - and will supply the full details / configurations
>>off list if needed.
>>
>>Thanks,
>>
>>Jon
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
More information about the bind-users
mailing list