AW: Disabling recursion causes browser hangs on clients with auto proxy config
Kevin Darcy
kcd at chrysler.com
Mon Jan 25 23:08:03 UTC 2010
On 1/25/2010 2:47 PM, Niall O'Reilly wrote:
> Frank Stanek wrote:
>> I'm sorry but I don't quite understand what you mean. Could you
>> please elaborate this on the basis of this excerpt from our pac
>> file?
>>
>> function FindProxyForURL(url, host)
>> {
>> var proxy1 = "PROXY 192.168.240.29:8080";
>> var proxy2 = "PROXY 172.16.1.30:8080";
>> if ( dnsDomainIs(host, ".intern")
>> || shExpMatch(url, "*//localhost*")
>> || shExpMatch(url, "*//127*")
>
> So far so good: you've tried to match part of the text of the
> URL against each of those rules.
>
>> || isInNet(host, "192.168.1.0", "255.255.255.0")
>> // more lines with subnets
>
> Before applying this rule, your browser has to convert the
> domain name given in the URL to an address, in order to check
> whether the address belongs to the subnet. Since you've
> chosen to block recursive name resolution, this rule will fail
> except for domain names for which your name server is
> authoritative; likewise for "more lines with subnets".
>
Good analysis.
More generally,
1) isInNet() or any other function which causes constant DNS lookups is
bad from a DNS infrastructure point of view, and can run into caching
complications
2) any form of access control which involves turning off recursion for
particular clients is iffy, since stub resolvers don't react
consistently to unexpected lookup results such as referrals. It is
generally better to give a definitive REFUSED response, in order to make
one's intent clear. In BIND terms, that would be "allow-query" rather
than "allow-recursion".
- Kevin
More information about the bind-users
mailing list