allow query / allow recursion confusion

Tue Jun 26 14:28:57 UTC 2007

Great thanks.  That is what I trying to get at.  So even though the
recursion flag is on IP's not in the our-nets acl will be blocked from
hitting the cache.
Are there any security reasons to set  allow-recursion { our-nets; };
or is it basically needlessly repeating itself?

On 6/25/07, Kal Feher <kal.feher at melbourneit.com.au> wrote:
> Your global option:
> allow-query { our-nets; };
>
> Means only those networks listed in the our-nets acl can hit the cache. Your
> external tests will not, I presume, have matched this acl.
>
> This behaviour can be over ridden on a per zone basis as well.
>
> HTH
>
> On 26/6/07 7:16 AM, "Nick" <kvetch at gmail.com> wrote:
>
> > I appreciate all the help but I am still a little confused.
> > So then if allow-recursion is not set I should be able to query items
> > in that server's cache from outside the our-net, right?
> > For some reason I don't seem to be able to accomplish this with my
> > BIND 9.3.0 installation.  I don't specify allow with recursion on or
> > off, just commented.  I tested by doing a lookup of yahoo.com from an
> > internal box
> > # dig @ns1.myserver.com yahoo.com
> > I got a response back with a ttl of 300.
> > Then I went to a box outside the network and tried to look it up from
> > the servers cache but it got refused.
> > On the box outside network I did -
> > # dig @ns1.myserver.com yahoo.com
> > ............
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53934
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUESTION SECTION:
> > ;yahoo.com.                     IN
> > ..............
> >
> > Why would it be refused, shouldn't it be in cache?
> > Here is what my conf basically looks like.  Currently it is not split
> > into internal and external, this box just handles external.
> > acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 172.16.0.0/12;
> > };
> > acl our-nets { 192.168.0.0/24; 192.168.1.0/24; 192.168.3.0/24; };
> > #
> > options {
> >         directory "/var/named";
> >         pid-file "named.pid";
> >         statistics-file "/var/log/named/named.stats";
> >         zone-statistics yes;
> >         listen-on-v6 { none; };
> >         allow-query { our-nets; };
> > #       allow-recursion { our-nets; };
> >         blackhole { bogusnets; };
> >
> > };
> >
> > logging {
> >         category default { named_info; };
> >         category lame-servers { null; };
> >
> >         channel query_info {
> >                 file "/var/log/named/querylog" versions 24 size 100m;
> >                  severity info;
> >                  print-category yes;
> >                  print-time yes;
> >          };
> >
> >         channel named_info {
> >                 file "/var/log/named/namedlog" versions 10 size 30m;
> >                  severity info;
> >                  print-category yes;
> >                  print-time yes;
> >          };
> >
> >         category queries { query_info; };
> >         category resolver { query_info; };
> >
> > };
> >
> > zone "domain.com" {
> >         type master;
> >         file "domain.com.dns";
> >         allow-transfer{ none; };
> >         allow-query{ any;};
> > };
> >
> > zone "domain2.com" {
> >         type master;
> >         file "domain2.com.dns";
> >         allow-transfer{ none; };
> >         allow-query{ any;};
> > };
> >
> > Thanks,
> > Nick
> >
> > On 6/21/07, Kal Feher <kal.feher at melbourneit.com.au> wrote:
> >>
> >>
> >>
> >> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
> >>
> >>>
> >>> Doesn't setting
> >>>
> >>>    recursion no;
> >>>
> >>> do that too?
> >> No, I'll elaborate below from the 9.4 ARM:
> >>
> >> "allow-recursion
> >>
> >> Note that disallowing recursive queries for a host does not prevent the host
> >> from retrieving data that is already in the server's cache."
> >>
> >> and
> >>
> >> "recursion
> >>
> >>      Note that setting recursion no does not prevent clients from getting
> >> data from the server's cache; it only prevents new data from being cached as
> >> an effect of client queries. Caching may still occur as an effect the
> >> server's internal operation, such as NOTIFY address lookups."
> >>
> >> So we now use:
> >>
> >> "allow-query-cache
> >>
> >>     Specifies which hosts are allowed to get answers from the cache. The
> >> default is the builtin acls localnets and localhost. "
> >>
> >>
> >> HTH
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Kal Feher
> >>
> >>
> >>
> >
> >
>
> --
> Kal Feher
>
>
>