Prev-20 Home Next-20 1 msg Reload config without timeout of queries. 2 msg unloading data (via programming interface) 2 msg trouble setting up zones over ipv6 6 msg how to set up a dyndns-server 4 msg zone transfer from bind to microsoft 1 msg Crash with bind 9.2.4 1 msg Problem with MX record : I need some help. 3 msg Issue with MX queries 4 msg Possible to redirect to custom 'A' record all d... 2 msg How to request rDNS from my ISP? 1 msg h2n-style tool 10 msg Problem after upgrading to BIND 9 1 msg 9.3.2 -> 9.4.0b1 migration results 5 msg Newbie - Zone Transfer Denied 3 msg Wildcard hosts 3 msg Important problem with MX *. 4 msg bind 9.3.2 FORMERR CNAME Problem 3 msg Issue with MX lookups - recursion disabled 2 msg Weird log? open recursion/cache problem \ Jeffrey Williams (24 Aug 2006) . \ Barry Margolin (24 Aug 2006) . . \ Stefan Schmidt (29 Aug 2006) . . . \ Chris Thompson (29 Aug 2006) . . . . \ Stefan Schmidt (29 Aug 2006) . . . . . \ Kevin Darcy (29 Aug 2006) . \ Mark Andrews (29 Aug 2006) Prev-20 Home Next-20

Prev-Msg Prev-Thread Bind-users Aug-2006 Next-Thread Next-Msg Subject: Re: open recursion/cache problem Group: Bind-users From: Mark Andrews Date: 29 Aug 2006 > Stefan Schmidt wrote: > > On Tue, Aug 29, 2006 at 12:31:10PM +0100, Chris Thompson wrote: > > > >>> He asked to specifically limit recursive queries to his IP space as he > >>> also has zones he is authorative for that need to get served - so he > >>> cannot just block all queries recursive or otherwise. > >>> > >> That's _why_ Barry said > >> > >> Then in all the public zone definitions, add "allow-query{any;};" > >> > >> Specifying allow-query in a zone statement overrides the value in the > >> options statement, for queries for records within that zone. > >> > > > > Right, i misread him then. > > I separated authorative and recursive nameservers long ago - which is what > > i would strongly recommend doing if you have more than just a few zones > > to manage btw. - so i forgot about the following: > > > > allow-recursion > > Specifies which hosts are allowed to make recursive queries through > > this server. If not specified, the default is to allow recursive > > queries from all hosts. Note that disallowing recursive queries > > for a host does not prevent the host from retrieving data that is > > already in the server's cache. > > > > For Jeffreys setup this means that clients not listed in allow-recursion > > will not be able to trigger named to issue any recursive action but > > will be shown the contents of what it already cached which we might call > > minor information leakage. > > > > IMO there should be an option that prevents non-authorative zones from > > beeing queried. This way the above would become more clear. > > Say allow-recursive-clients-from or something similar. > > > > > BIND 9.4.0 has "allow-query-cache" (from CHANGES): > > New option "allow-query-cache". This lets allow-query be > used to specify the default zone access level rather than > having to have every zone override the global value. > allow-query-cache can be set at both the options and view > levels. If allow-query-cache is not set allow-query applies. > > - Kevin Which is further modified by. 2006. [security] Allow-query-cache and allow-recursion now default to the builtin acls "localnets" and "localhost". This is being done to make caching servers less attractive as reflective amplifying targets for spoofed traffic. This still leave authoritative servers exposed. The best fix is for full BCP 38 deployment to remove spoofed traffic. localnets should be a superset of localhost but some on some platforms we can't get a IPv6 prefix length to set localnets. -- ISC Training! October 16-20, 2006, in the San Francisco Bay Area, covering topics from DNS to DHCP. Email training. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews Prev-Msg Prev-Thread Bind-users Aug-2006 Next-Thread Next-Msg

© 2004-2008 readlist.com