Best allow-query setting on an authoritative-only nameserver
Chris Thompson
cet1 at hermes.cam.ac.uk
Mon Apr 2 23:30:51 UTC 2007
The scenario is a nameserver with "recursion no" in options and
each zone statement having its own explicit "allow-query" setting
(mostly "any"). This is intended only as an authoritative server
for a number of zones.
Question: what is the best setting for "allow-query" in options,
which applies only to queries not in any of those zones? Or perhaps
better, what are the pros and cons of "allow-query {none;};" versus
"allow-query {any;};" in this context? Is it better to reply REFUSED
or to give a referral to the root nameservers? (I suppose one should
also distinguish between "better for us" and "better for them".)
To be honest, not _quite_ all the zones have their own allow-query
in the case I am thinking of. "localhost", "0.0.127.in-addr.arpa",
etc. inherit the setting from options.
BIND 9.3.4 incidentally, so allow-query-cache not relevant yet.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list