Issues with loop

Barry Margolin barmar at alum.mit.edu
Fri Jul 11 02:34:16 UTC 2008 

In article <g56fet$2q5$1 at sf1.isc.org>,
 "Jonathan Petersson" <jpetersson at garnser.se> wrote:

> Hi everyone.
> 
> I recently took a couple of new DNS servers online and have stumbled
> upon an issue. These servers are hosting a couple of reverse zones and
> allows recursive lookup for our own external networks. This seams to
> cause a loop when looking up records of the hosted zones.

You probably need to have the hosted zones in both views.  When an 
internal client tries to look something up in the hosted zone, your 
server recurses because it's not in the view.  And it recurses to 
itself, so the recursive query also seems to be coming from an internal 
address, so it also goes to the internal view.

> 
> Could anyone recommend another approach to allow recursive lookups for
> known networks and still only allow queries for the authoritative
> zones to the rest of the Internet?
> 
> (The networks in this config is not ours)
> 
> Thanks
> 
> options {
>         query-source address * port 53;
> 
>         directory "/var/named";
>         dump-file               "data/cache_dump.db";
>         statistics-file         "data/named_stats.txt";
>         memstatistics-file      "data/named_mem_stats.txt";
> 
>         version "surely you must be joking";
> 
>         allow-transfer {
>                 127.0.0.1;
>                 123.123.123.123;
>         };
> 
>         querylog yes;
> 
> };
> 
> logging {
>         channel default_debug {
>                 file "/var/log/named.run";
>                 severity dynamic;
>         };
> 
>         channel query_log {
>                 file "/var/log/querylog" versions 3 size 40m;
>                 print-time yes;
>         };
> 
>         category queries { query_log; };
> };
> 
> view "known" {
>         match-clients {
>                 127.0.0.1;
>                 122.0.0.0/24;         # Allowed network
>         };
> 
>         recursion yes;
> 
>         include "/etc/named.root.hints";
>         include "/etc/named.rfc1912.zones";
> };
> 
> view "all" {
>         match-clients { any; };
>         recursion no;
> 
>      zone "0.0.122.in-addr.arpa" IN {
>           type slave;
>           file "slaves/122.0.0";
>           masters { 123.123.123.123; };
>      };
> };

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list