Re: Diagnostic help

Mon, 29 Sep 2014 20:38:07 -0700 



So if my server is authoritative for MyDomain.com, should Joe Sixpak be 
able to resolve it via whatever DNS he's using, as mine is currently set up?


Do I need to change it to

|allow-query     { any; };|


in order to allow that to happen?  Will my restriction on recursion keep 
the riffraff to a minimum?


Thanks.

On 9/29/14, 7:58 PM, Ben Croswell wrote:



The default for allow query is local host local nets.  Basically the 
server itself and directly connected networks



On Sep 29, 2014 8:03 PM, "Bill Christensen" 
<billc_li...@greenbuilder.com <mailto:billc_li...@greenbuilder.com>> 
wrote:


    Hi folks,

    Something got sideways on one of my DNS servers, and I would
    appreciate some help in figuring out what's going on.

    I'm running BIND 9.10.1.  This server is authoritative master for
    a number of domains.

    First off, I may have the allow-query set incorrectly. Currently I
    have:

    acl query-permit {
        (range of IP address on the local LAN which are allowed to use
    this server as their query server)
        };

    acl recursive-permit {
        (range of IP address on the local LAN which are allowed to use
    this server for recursive queries)
        };

    acl transfer-permit {
        (IP addresses of a couple other name servers allowed to do
    transfers with this one)
        };

    and at the beginning of the options  section:

            allow-recursion { recursive-permit; };
             allow-transfer { transfer-permit; };
    //     allow-query { query-permit; };

    Allow-query is commented out, which I assume will allow anyone to
    query this server for the domains for which it has master or slave
    records, but does not allow the general public to do recursive
    queries or queries on domains not hosted here.

    Let me know if I've got that right, or how to correct it if I don't.

    If this part is correct I'll continue the questioning.

    Thanks!




    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to
    unsubscribe from this list

    bind-users mailing list
    bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
    https://lists.isc.org/mailman/listinfo/bind-users




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to