allow query / allow recursion confusion
Kal Feher
kal.feher at melbourneit.com.au
Fri Jun 22 02:37:12 UTC 2007
The allow-query behaviour changed with 9.4
Allow-query-cache was added and is specific to the cache.
I note you tested on 9.3, I dont believe the statement allow-query-cache was
available on that release, hence your counter intuitive results.
On 22/6/07 10:09 AM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
> Kal Feher wrote:
>> On 21/6/07 1:14 PM, "Clenna Lumina" <savagebeaste at yahoo.com> wrote:
>>
>>>
>>> Doesn't setting
>>>
>>> recursion no;
>>>
>>> do that too?
>> No, I'll elaborate below from the 9.4 ARM:
>>
>> "allow-recursion
>>
>> Note that disallowing recursive queries for a host does not prevent
>> the host from retrieving data that is already in the server's cache."
>>
>> and
>>
>> "recursion
>>
>> Note that setting recursion no does not prevent clients from
>> getting data from the server's cache; it only prevents new data from
>> being cached as an effect of client queries. Caching may still occur
>> as an effect the server's internal operation, such as NOTIFY address
>> lookups."
>>
>> So we now use:
>>
>> "allow-query-cache
>>
>> Specifies which hosts are allowed to get answers from the cache.
>> The default is the builtin acls localnets and localhost. "
>>
>
> Sorry, I should been more clear. Using "recursion no;" in the scope of a
> "view" seems to prevent _any_ resursive queries.
>
> * * *
>
> I even did a test using my bind 9.3.4 server that masters some zones.
>
> From a remote ssh connection, I queried my server:
>
> 1) Queried one of the zones's it's authoritative for. Ok, that works.
>
> 2) Queried yahoo.com, got back a list of root servers (dig), nothing
> more.
>
> 3a) on a local console, queried yahoo.com against the same bind server,
> got 2 IPs for yahoo.com, 7 NS's (2 of which return A records in the
> ADDITIONAL field.)
>
> 3b) sent the same query again from the remote console for yahoo.com, got
> a list of root servers fro mdig agian, nothign changed.
>
> And yes that name server (Bind 9.3.4) uses views, only allowing the
> internal view to issue recursive queries (recursion yes;) while the
> external only allows quering of zones the server is authoritative for
> (recursion no;)
>
> * * *
>
> Works like a charm, nothing is taken from cache, so can you please
> clarify how one would be able to get something out of my cache (like
> google.com, etc) ?
--
Kal Feher
More information about the bind-users
mailing list