allow query / allow recursion confusion
Niall O'Reilly
Niall.oReilly at ucd.ie
Wed Jun 20 19:27:08 UTC 2007
On 20 Jun 2007, at 17:33, Nick wrote:
> Hello, I am a little confused about the security settings allow-query
> and allow recursion and was hoping someone might be able to clear my
> confusion. I am currently testing this on a BIND 9.3.0 linux box.
>
> An acl line of "allow-query { our-nets; };" would globally only allow
> queries from our designated IP's but deny queries from everyone else,
> correct?
> With the acl line above and with the line "allow-query { any; };" in a
> zone it would then allow this zone to be queried from anyone in the
> world. Basically overriding the global setting but only on this zone.
>
> From my understanding the "allow recursion", enables or disables boxes
> from looking up domains that this box doesn't handle the zones for.
> So an acl line like "allow-recursion { our-nets; };" would only allow
> IP's within our network to lookup other domains and block everyone
> else from querying some domain, right?
You hardly seem confused at all! 8-)
You may be overlooking referral responses. A query for DNS data
contained in a zone not carried on your box and from an address
for which you have chosen to accept requests but to deny recursion
will result in a referral to "name servers which have zones which
are closer ancestors to the name [requested] than the server [your
box] sending the reply" [RFC1034, p.23].
Best regards,
Niall O'Reilly
University College Dublin IT Services
PGP key ID: AE995ED9 (see www.pgp.net)
Fingerprint: 23DC C6DE 8874 2432 2BE0 3905 7987 E48D AE99 5ED9
More information about the bind-users
mailing list