Bind 9 allow-recursion limited to localhost

dan_delspam at edenpics.com dan_delspam at edenpics.com
Wed Aug 16 21:40:48 UTC 2006 

Hello.

I am trying to setup a DNS that is a master for the world and a caching
name server for the localhost only.
I have been able to setup something quite near of this, but here is my
problem:

When I do a query of an external domain name from the outside, the
query is properly blocked. However, if I do query the server from my
server (localhost) for the same domain name, and then try the first
operation of querying the server from the outside, then the query is
successful that time.

To be clearer:

1. external query blocks ok:
from ip 192.168.0.100: nslookup google.com 192.168.0.1
*** Can't find google.com: No answer

2. internal query works fine as wanted:
from ip 192.168.0.1: nslookup google.com 192.168.0.1
Name:   google.com
Address: 64.233.167.99

3. external query like point 1 again is accepted this time:
from ip 192.168.0.100: nslookup google.com 192.168.0.1
Name:   google.com
Address: 64.233.167.99

It's like if the 'allow-recursion' directive would not allow to make a
recursion (relaying the request to the source DNS server), but would
still allow external requests to access the internal cache of the DNS.
I don't know if this is the normal behaviour, bu my question is to know
if there is a way to block all requests of domain which are not my
master domain names for the outside.
I thought that this directive would take care of it, but it doesn't
seem so.
Can someone also try that and tell me if this is happening elsewhere or
if this is a misconfiguration of my DNS ?

I am using Bind 9.2.4-2 on a CentOS 4.3 server.

Here is my configuration file (top only, the rest are only zones):

options {
        directory "/var/named";
        recursion yes;  // prevent caching for all by default,
overridden below.
        allow-recursion {127.0.0.1;};
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        query-source port 53; // because firewall allows port 53 only
        allow-transfer {"none"; };  // transfer will be allowed per
zone below.
};

controls {
        inet 127.0.0.1 allow { "none"; };
};

Thanks for any help.
Daniel

More information about the bind-users mailing list