open recursion/cache problem
Stefan Schmidt
s.schmidt--bind at mcbone.net
Tue Aug 29 12:18:59 UTC 2006
On Tue, Aug 29, 2006 at 12:31:10PM +0100, Chris Thompson wrote:
> >He asked to specifically limit recursive queries to his IP space as he
> >also has zones he is authorative for that need to get served - so he
> >cannot just block all queries recursive or otherwise.
>
> That's _why_ Barry said
>
> Then in all the public zone definitions, add "allow-query{any;};"
>
> Specifying allow-query in a zone statement overrides the value in the
> options statement, for queries for records within that zone.
Right, i misread him then.
I separated authorative and recursive nameservers long ago - which is what
i would strongly recommend doing if you have more than just a few zones
to manage btw. - so i forgot about the following:
allow-recursion
Specifies which hosts are allowed to make recursive queries through
this server. If not specified, the default is to allow recursive
queries from all hosts. Note that disallowing recursive queries
for a host does not prevent the host from retrieving data that is
already in the server's cache.
For Jeffreys setup this means that clients not listed in allow-recursion
will not be able to trigger named to issue any recursive action but
will be shown the contents of what it already cached which we might call
minor information leakage.
IMO there should be an option that prevents non-authorative zones from
beeing queried. This way the above would become more clear.
Say allow-recursive-clients-from or something similar.
Stefan
PS: yes, my signatures are random - most of the time they just fit, not
this time though ;-)
--
I cannot say that I don't disagree with you.
- Groucho Marx
More information about the bind-users
mailing list