questions on allow-query
Mark Elkins
mje at posix.co.za
Tue Feb 20 07:57:54 UTC 2018
Reading between the lines - it sounds like you may be mixing nameserver
roles, recursion with authoritative.
This is not a good idea and is why other Nameserver software (NSD,
UNBOUND and others) either perform one role or the other. I understand
that BIND-10 was also designed like this - separate software modules for
the two separate roles.
Then your "access list" is simple.
Recursive: Starts with knowing next to nothing, can be asked for
anything and serves a restrictive population
acl "trusted" {
127.0.0.0/8;
::1/128;
192.X.X.0/24;
2001:hhhh:hhhh:hhhh::/48;
};
allow-query { trusted; };
allow-recursion { trusted; };
Authoritative: Starts with knowing everything about just a few Domains,
can only be asked about what it knows and serves the World.
allow-query { any; };
allow-recursion { none; };
You'll otherwise find that things like DNSSEC don't work as expected.
On 20/02/2018 00:51, @lbutlr wrote:
> If I set
>
> allow-query { 127.0.0.1; [myipblock]; }
>
> Then my DNS doesn't respond to any other servers, right? This would be bad for being authoritative. so, should I set that and then set allow-query { any; }; in each zone?
>
> Is that better than simply setting the IPs that are allowed recursion?
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
More information about the bind-users
mailing list