allow query / allow recursion confusion
Barry Margolin
barmar at alum.mit.edu
Thu Jun 21 01:38:59 UTC 2007
In article <f5blac$1roq$1 at sf1.isc.org>, Nick <kvetch at gmail.com> wrote:
> An acl line of "allow-query { our-nets; };" would globally only allow
> queries from our designated IP's but deny queries from everyone else,
> correct?
> With the acl line above and with the line "allow-query { any; };" in a
> zone it would then allow this zone to be queried from anyone in the
> world. Basically overriding the global setting but only on this zone.
>
> From my understanding the "allow recursion", enables or disables boxes
> from looking up domains that this box doesn't handle the zones for.
> So an acl line like "allow-recursion { our-nets; };" would only allow
> IP's within our network to lookup other domains and block everyone
> else from querying some domain, right?
The main difference is that if someone is not in the "allow-recursion"
ACL they'll be allowed to query data that is already in your server's
cache. So if an internal user looks up www.google.com, external users
will be able to look this up until the cached record expires (and in the
case of a popular name like this, it will probably be in cache most of
the time).
BIND 9.4 adds a new option, I think called "allow-query-cache", that
does what most people wanted "allow-recursion" to do.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list