allow-query and views
Matus UHLAR - fantomas
uhlar at fantomas.sk
Thu Feb 21 15:40:17 UTC 2013
On 21.02.13 08:59, Robert Moskowitz wrote:
>I am reading: https://www.isc.org/software/bind/faq and 'What has
>changed in the behavior of "allow-recursion" and "allow-query-cache"
>'.
>
>
>I am struggling here trying to match up the various access control
>features, particularly when we are suppose to have different views
>for different clients.
>
>So for my internal view where I:
>
> match-clients { httnets; };
> match-destinations { httnets; };
> recursion yes;
> allow-query { httnets; };
allow-query is useless here, unless you have disabled it somewhere.
the match-clients does enough.
>Do I also add
>
> allow-query-cache { httnets; };
>???
you apparently want to turn on recursion for your clients, which means, you
should use "allow-recursion" and let allow-query-cache be teh same by
default.
>And for the external view where:
>
> match-clients { any; };
> match-destinations { any; };
> allow-query { any; };
> recursion no;
>
>Do I add:
>
> allow-query-cache { localhost; };
>??? Supposedly localhost will fall into the internal view (along
>with httnet)
and does localhost belong to the httnets ACL?
>, so nothing should be querying cache?
correct, no external hosts should query your cache.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows. -- Matthew D. Fuller
More information about the bind-users
mailing list