allow query / allow recursion confusion
Mark Andrews
Mark_Andrews at isc.org
Thu Jun 21 01:58:55 UTC 2007
> In article <f5blac$1roq$1 at sf1.isc.org>, Nick <kvetch at gmail.com> wrote:
>
> > An acl line of "allow-query { our-nets; };" would globally only allow
> > queries from our designated IP's but deny queries from everyone else,
> > correct?
> > With the acl line above and with the line "allow-query { any; };" in a
> > zone it would then allow this zone to be queried from anyone in the
> > world. Basically overriding the global setting but only on this zone.
> >
> > From my understanding the "allow recursion", enables or disables boxes
> > from looking up domains that this box doesn't handle the zones for.
> > So an acl line like "allow-recursion { our-nets; };" would only allow
> > IP's within our network to lookup other domains and block everyone
> > else from querying some domain, right?
>
> The main difference is that if someone is not in the "allow-recursion"
> ACL they'll be allowed to query data that is already in your server's
> cache. So if an internal user looks up www.google.com, external users
> will be able to look this up until the cached record expires (and in the
> case of a popular name like this, it will probably be in cache most of
> the time).
>
> BIND 9.4 adds a new option, I think called "allow-query-cache", that
> does what most people wanted "allow-recursion" to do.
allow-query-cache just seperated out what allow-query
operated on. allow-query now only affects zones rather
than zones and cache.
You could always prevent people querying the cache. It was
just more work if you were also offically authoritative for
a zone as you needed to add "allow-query {any;};" to the
zone definition.
Seperately you now need to match both allow-query-cache
and allow-recursion to have RA set in responses.
Mark
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list