allow query / allow recursion confusion

Kal Feher kal.feher at melbourneit.com.au
Fri Jun 22 02:37:12 UTC 2007 

The allow-query behaviour changed with 9.4
Allow-query-cache was added and is specific to the cache.
I note you tested on 9.3, I dont believe the statement allow-query-cache was
available on that release, hence your counter intuitive results.


On 22/6/07 10:09 AM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:

> Kal Feher wrote:
>> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>> 
>>> 
>>> Doesn't setting
>>> 
>>>    recursion no;
>>> 
>>> do that too?
>> No, I'll elaborate below from the 9.4 ARM:
>> 
>> "allow-recursion
>> 
>> Note that disallowing recursive queries for a host does not prevent
>> the host from retrieving data that is already in the server's cache."
>> 
>> and
>> 
>> "recursion
>> 
>>     Note that setting recursion no does not prevent clients from
>> getting data from the server's cache; it only prevents new data from
>> being cached as an effect of client queries. Caching may still occur
>> as an effect the server's internal operation, such as NOTIFY address
>> lookups."
>> 
>> So we now use:
>> 
>> "allow-query-cache
>> 
>>    Specifies which hosts are allowed to get answers from the cache.
>> The default is the builtin acls localnets and localhost. "
>> 
> 
> Sorry, I should been more clear. Using "recursion no;" in the scope of a
> "view" seems to prevent _any_ resursive queries.
> 
>    *   *   *
> 
> I even did a test using my bind 9.3.4 server that masters some zones.
> 
> From a remote ssh connection, I queried my server:
> 
> 1) Queried one of the zones's it's authoritative for. Ok, that works.
> 
> 2) Queried yahoo.com, got back a list of root servers (dig), nothing
> more.
> 
> 3a) on a local console, queried yahoo.com against the same bind server,
> got 2 IPs for yahoo.com, 7 NS's (2 of which return A records in the
> ADDITIONAL field.)
> 
> 3b) sent the same query again from the remote console for yahoo.com, got
> a list of root servers fro mdig agian, nothign changed.
> 
> And yes that name server (Bind 9.3.4) uses views, only allowing the
> internal view to issue recursive queries (recursion yes;) while the
> external only allows quering of zones the server is authoritative for
> (recursion no;)
> 
>    *   *   *
> 
> Works like a charm, nothing is taken from cache, so can you please
> clarify how one would be able to get something out of my cache (like
> google.com, etc) ?

-- 
Kal Feher

More information about the bind-users mailing list