high volume from outside our networks question

Wed Jan 30 22:23:53 UTC 2013

I think this is one of those reasons why mixing caching/recursion with authoritative is bad. 

I think the option needed is 'additional-from-cache no;', but its only effective if 'recursion no' is done in global options ... or in a view? 

Hmm, wonder if view is the answer....perhaps try something like: 

view "trusted" { 
match-clients { trusted; }; 
recursion yes; 
allow-recursion { trusted; }; 
#allow-query-cache is then defaulted to same match as allow-recursion 
.... 
} 
view "untrusted" { 
match-clients { any; } 
recursion no; 
additional-from-cache no; 
.... 
} 

----- Original Message -----

> acl "trusted" {
> xxx.xxx.xxx.0/20;
> xxx.xxx.xxx.0/23;
> xxx.xxx.xxx.0/22;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> x.xx.xxx.0/21;
> x.xx.xx.0/24;
> xxx.xxx.xxx.0/24;
> localhost;
> localnets;
> };

> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-recursion { "trusted"; };
> allow-query { any; };
> allow-query-cache { "trusted"; };

> Its standard conf with the default stuff in it as well as a 24 zones
> or so in it.

> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr < sjcarr at gmail.com >
> wrote:

> > So the response you received wasn't recursed ";; WARNING: recursion
> 
> > requested but not available", so at least that ACL is holding up,
> > but
> 
> > it could be that the response you got is still being served from
> > your
> 
> > DNS server's cache. Can you share the exact configuration
> > statements
> 
> > you have implemented for allow-recursion and allow-query-cache and
> > are
> 
> > these options in the view stanza or in the global options?
> 

> > Best practice is that authoritative and recursive DNS servers
> > should
> 
> > be completely separate.
> 

> > Steve
> 

> --
> Richard Carroll
> richcarroll at gmail.com
> 785-288-1144

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list

> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 

Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator 
For: Enterprise Server Technologies (EST) -- & SafeZone Ally 
Snail: Computing and Telecommunications Services (CTS) 
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu 
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130130/9d85971d/attachment.html>