AW: Disabling recursion causes browser hangs on clients with auto proxy config

[Frank Stanek]

Thanks very much to everyone who replied and explained this set
of problems in such detail to me. It's now clear as day and of
course you are correct. You have made my day. :-)

As for "allow-query" instead of "allow-recursion" - I see what
you mean, the stub resolvers seem to react differently to
"recursion not available" than they do for flat out "refused",
especially when there are more than one name servers configured.
However I cannot refuse because the clients still need to be
able to resolve our zones. I will work something out for this,
so thanks for that hint as well.

Regards
Frank


----- Originalnachricht -----
Von: "Kevin Darcy" <kcd at chrysler.com>
Gesendet: Die, 26.1.2010 00:08
An: bind-users at lists.isc.org
Betreff: Re: AW: Disabling recursion causes browser hangs on clients with auto	proxy config

On 1/25/2010 2:47 PM, Niall O'Reilly wrote:
> Frank Stanek wrote:
>> I'm sorry but I don't quite understand what you mean. Could you
>> please elaborate this on the basis of this excerpt from our pac
>> file?
>>
>> function FindProxyForURL(url, host)
>> {
>>     var proxy1 = "PROXY 192.168.240.29:8080";
>>     var proxy2 = "PROXY 172.16.1.30:8080";
>>     if ( dnsDomainIs(host, ".intern")
>>         || shExpMatch(url, "*//localhost*")
>>         || shExpMatch(url, "*//127*")
>
>     So far so good: you've tried to match part of the text of the
>     URL against each of those rules.
>
>>         || isInNet(host, "192.168.1.0", "255.255.255.0")
>>         // more lines with subnets
>
>     Before applying this rule, your browser has to convert the
>     domain name given in the URL to an address, in order to check
>     whether the address belongs to the subnet.  Since you've
>     chosen to block recursive name resolution, this rule will fail
>     except for domain names for which your name server is
>     authoritative; likewise for "more lines with subnets".
>

Good analysis.

More generally,
1) isInNet() or any other function which causes constant DNS lookups is 
bad from a DNS infrastructure point of view, and can run into caching 
complications
2) any form of access control which involves turning off recursion for 
particular clients is iffy, since stub resolvers don't react 
consistently to unexpected lookup results such as referrals. It is 
generally better to give a definitive REFUSED response, in order to make 
one's intent clear. In BIND terms, that would be "allow-query" rather 
than "allow-recursion".

                                                                         
                                                                         
                                                         - Kevin