match-recursive-only vs configured zones

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue May 19 17:50:58 UTC 2009 

> On May 19, 2009, at 9:45 AM, Matus UHLAR - fantomas wrote:
>> I'd like to know how does match-recurtsive-only view interact with
>> configured zones.

On 19.05.09 10:25, Chris Buxton wrote:
> The order of views matters. The first one matched, wins.
>
> Let's suppose you have a config along these lines:
>
> view "resolver" {
> 	match-clients { local-clients-acl; };
> 	match-recursive-only yes;
> 	allow-recursion { local-clients-acl; };

wouldn't "recursion yes;" have the same effect here?

> };
> view "auth" {
> 	recursion no;
> 	zone "example.com" {
> 		type master;
> 		file "example.com";
> 	};
> };
>
> There are three scenarios for queries:
>
> - If a query comes from the outside, it will hit the "auth" view,  
> regardless of wether it's recursive or iterative. It will always be  
> answered as an iterative query - that is, your server will not perform  
> recursion for outside clients, and the ra bit will always be turned off 
> in the response.

That's the desired effect.

> - If a recursive query comes from an authorized user, it will be  
> answered by the "resolver" view. If it is for one of your local zones,  
> the "resolver" will end up asking the "auth" view for the answer.

So it will just use zones configured in "auth" as they were in "resolver" -
if I hadn't views at all?

> (If the server is behind a NAT server, you may need to configure something
> specially to make this work.)

It's not, but can you at least hint me so I could understand?

> - If an iterative query comes from the internal network, it will be  
> handled by the "auth" view. This allows you to use other internal  
> resolving servers without having to special-case anything.
>
> One thing to note, for internal users who use nslookup (or dig, or host, 
> or whatever) to try to diagnose problems with the "auth" view: If they 
> send recursive queries, they will get non-authoritative responses. If 
> they send iterative queries, they will be told that recursion is not 
> available. This can be confusing.

I think this won't confuse me. This is a server some people use for
recursion and there are also some domains there, I want to move all services
away and shut the server down.

Now if I configured 

view "external" {
	match-clients { any; };
	match-recursive-only yes;
	recursion no;
}

between "resolver" and "auth", that view would be used for all recursive
queries from unauthorised sources, while iterative queries would still go to
"auth", so I could provide special (no) service to unauthorised recursive
clients, correct?


Thank you.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

More information about the bind-users mailing list