DNS Cache Snooping? - RESOLVED

Jeff Lightner jlightner at water.com
Wed Jun 25 16:07:06 UTC 2008 

Jeremy,

Thanks to you and the all the others on the list.

I had actually attempted the allow-query method (from the O'Reilly BIND
book) before the allow-recursion.  The book said that the
allow-recursion meant I didn't need the allow-query but of course it was
addressing recursion and not caching.

By implementing as you suggested I've now prevented both the external
recursion and cache snooping.

A side note:  
I had actually tried the allow-query method first but had an issue which
may have been I realized I couldn't do external dig @myserver -x
xx.xx.xx.xx.  

After implementing allow-query in addition to the previously done
allow-recursion on your suggestion I saw the issue with the dig from
external.  However doing a "dig -x xx.xx.xx.xx" from that external
location did resolve.  

That appears to be because we'd had to put in specific arpa names for
named.conf to make the reverse lookup work externally in the past.
These are delegated to us by AT&T.   It seems that the delegation
through AT&T requires the range information but the dig directly to the
server can't use it.   I solved that problem simply by adding another
zone entry without the range but pointing to the same zone file.

-----Original Message-----
From: Jeremy C. Reed [mailto:Jeremy_Reed at isc.org] 
Sent: Tuesday, June 24, 2008 11:31 AM
To: Jeff Lightner
Cc: comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?

On Tue, 24 Jun 2008, Jeff Lightner wrote:

> Therefore my first mission was to allow recursion for the inside
people
> and prevent it for the external people while still allowing the
external
> to lookup the domains for which we are authoritative.

options {
	allow-query { internaldns; };
	allow-recursion { internaldns; };
};

zone "foo.bar" {
	type master;
	file "foo.bar";
	allow-query { any; };
};
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list