Recursive Domain Query on Restricted Recursive DNS

Nicolas Pence npence at dedicado.com
Wed Nov 28 11:54:38 UTC 2007 

>Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.

The configuration is working, if I don´t put the line "allow-query-cache"
the following happens:

> allow-query { mynet; };
Block unauthorized new-queries, but queries to records in cache
are successful.

> allow-query-cache { mynet; };
Block unauthorized new-queries to records already in my cache.

I've made some test and if an authorized user queries a domain "example.com" 
the unathorized users can make queries without problems.
If this domain "example.com" is not in the cache then the unauthorized
user can't get the info.


>I think this is doable if you drop the global "allow-recursion" 
>restriction (which at the global level is extraneous anyway because of the global allow-query), and then define the zones of interest as >"type stub" with "allow-query" opened up.
 
Ok is true, I should remove allow-recursion, is limited by allow-query & allow-query-cache

I read about stub zones and there is the need of a "already known"
(that if I understand how stub works)

zone "subdom.example.com" {
	type stub;
	file "slaves/"subdom.example.com.zone";
	masters { ip1; ip2; };
};

so I don´t really have masters servers, but if the info is
on cache can't just query this domain locally and allow anybody to do it?

thanks




-----Mensaje original-----
De: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] En nombre de Kevin Darcy
Enviado el: Miércoles, 28 de Noviembre de 2007 01:19
Para: bind-users at isc.org
Asunto: Re: Recursive Domain Query on Restricted Recursive DNS

Nicolas Pence wrote:
> Hi, I need to know how to set up the following solution:
>  
> - I have a Recursive DNS that is restricted to only wanted IP ranges, 
> running Bind 9.3.2
>  
> acl mynet { iprange1/mask; iprange2/mask; iprange3/mask; };
>  
> options {
> allow-recursion { mynet; };
> allow-query { mynet; };
> allow-query-cache { mynet; };
> };
>   
Is this a working configuration? allow-query-cache doesn't exist in 9.3.2.

>  
> - But I see some people with my NS configured doing queries to a 
> domain name that I really want them to reach, so what I need is to 
> enable queries "only"
> to this domain name
> "subdom.example.com" to anybody who query my server like doing:
>  
> allow-query { any; };
>  
> - subdom.example.com is not mine so I can't be auth for this domain 
> and resolve the issue setting a master nor a slave zone.
>  
>  
> Is this task possible? 
>   
I think this is doable if you drop the global "allow-recursion" 
restriction (which at the global level is extraneous anyway because of the global allow-query), and then define the zones of interest as "type stub" with "allow-query" opened up.

"Type slave" should work also, of course, but that would, in addition to the above, require zone-transfer permission/authority and is likely to incur more overhead than "type stub" (depending on a variety of factors, e.g. zone REFRESH setting, whether the remote side supports/honors IXFR, TTL of the most popularly-queried records, frequency of changes to the zone, etc.)

                                                                         
                           - Kevin

More information about the bind-users mailing list