RE: Query denied errors on PTR records for delegated zone

Mon, 22 Feb 2010 17:25:36 -0800 

The problem is that editing the options list to:

options {
        directory               "/var/named";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
        allow-query             { any; };
        allow-recursion         { wemadenets; };
};

Allows anyone to make recursive requests for any name against my server.  I 
don't want that.  By leaving the options list to " allow-query             { 
localhost; localnets; wemadenets; };" I prevent any ole recursive query 
(www.google.com for instance) except from my network while still allowing 
queries to the zones that I host.  However that brings me back to my original 
problem... it refuses queries for the reverse zone for my IP block.

-Geoff

-----Original Message-----
From: bind-users-bounces+geoff.sweet=wemadeusa....@lists.isc.org 
[mailto:bind-users-bounces+geoff.sweet=wemadeusa....@lists.isc.org] On Behalf 
Of Robert Spangler
Sent: Monday, February 22, 2010 16:54
To: bind-users@lists.isc.org
Subject: Re: Query denied errors on PTR records for delegated zone

On Monday 22 February 2010 19:26, Geoff Sweet wrote:

>  I have tried several different attempts to make this work, and the only
> change that works is to set in the options allow-query{any;};.  However the
> problem with that is that it then permits anyone to make any query against
> my nameservers and I don't want that.

That the purpose of having a public DNS server? So others can get your public 
DNS information? You want them to be able to query your server for your 
information but not allow recursion.  By only allowing localhost, localnets 
and wemadenets, everyone else is blocked thus they cannot get your 
information.

> Can anyone here offer me some advice as to what I am doing wrong?  For 
reference here is my config file:
>
>  acl wemadenets { 66.150.173.0/26; };
>
>  options {
>          directory               "/var/named";
>          dump-file               "/var/named/data/cache_dump.db";
>          statistics-file         "/var/named/data/named_stats.txt";
>          memstatistics-file      "/var/named/data/named_mem_stats.txt";
>          allow-query             { localhost; localnets; wemadenets; };
>          allow-recursion         { wemadenets; };
>  };

Edit allow-query and allow any.  Then everyone can get your information and 
still not use your server for recursion

I take it you are working off some sort of how-to for this.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to