allow query / allow recursion confusion
Nick
kvetch at gmail.com
Thu Jun 21 15:55:34 UTC 2007
Ah, thanks Niall. So does the allow-query { our-nets; }; also block
any queries for domains we don't specifically have zones for? I
thought that is what the recursion directive is for.
If I don't set allow recursion to our-nets, meaning recursion is
allowed I still can't do lookups on other zones it isn't the authority
for (I did the lookup from an IP not in our-net). I get REFUSED flag
back.
# dig @192.168.1.1 yahoo.com
; <<>> DiG 9.3.4 <<>> @192.168.1.1 yahoo.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41420
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;yahoo.com. IN A
;; Query time: 14 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Jun 21 11:26:04 2007
;; MSG SIZE rcvd: 30
To make sure there wasn't something screwy with my named.conf, I
captured the packets when doing the lookup and I see the Flag is set
that states Server Can Do Recursive Queries. What is blocking the
lookup then? Does having allow-queries to our-nets also block queries
for zones it doesn't maintain? Basically doing the same thing as
setting allow recursion restricted to our-nets. So if you have the
following options
allow-query { our-nets; };
allow-recursion { our-nets; };
And you set the allow-query option in each zone is there any reason to
also have the allow-recursion restricted to our-nets? How could
someone not in our-net do a lookup on a zone not in your named.conf?
Thanks,
Nick
On 6/20/07, Niall O'Reilly <Niall.oReilly at ucd.ie> wrote:
>
> On 20 Jun 2007, at 17:33, Nick wrote:
>
> > Hello, I am a little confused about the security settings allow-query
> > and allow recursion and was hoping someone might be able to clear my
> > confusion. I am currently testing this on a BIND 9.3.0 linux box.
> >
> > An acl line of "allow-query { our-nets; };" would globally only allow
> > queries from our designated IP's but deny queries from everyone else,
> > correct?
> > With the acl line above and with the line "allow-query { any; };" in a
> > zone it would then allow this zone to be queried from anyone in the
> > world. Basically overriding the global setting but only on this zone.
> >
> > From my understanding the "allow recursion", enables or disables boxes
> > from looking up domains that this box doesn't handle the zones for.
> > So an acl line like "allow-recursion { our-nets; };" would only allow
> > IP's within our network to lookup other domains and block everyone
> > else from querying some domain, right?
>
> You hardly seem confused at all! 8-)
>
> You may be overlooking referral responses. A query for DNS data
> contained in a zone not carried on your box and from an address
> for which you have chosen to accept requests but to deny recursion
> will result in a referral to "name servers which have zones which
> are closer ancestors to the name [requested] than the server [your
> box] sending the reply" [RFC1034, p.23].
>
>
> Best regards,
>
> Niall O'Reilly
> University College Dublin IT Services
>
> PGP key ID: AE995ED9 (see www.pgp.net)
> Fingerprint: 23DC C6DE 8874 2432 2BE0 3905 7987 E48D AE99 5ED9
>
>
>
>
>
More information about the bind-users
mailing list