allow query or recursive?
danti...@optusnet.com.au
Hi,
I have a bind server I now use as a caching.
In allowing my work desktop to access i found that it was being refused using allow-query, but if i add it to recursion it works, have i mis-understood the use of allow-query? The Bind Admin Manual seems to say what I thought use it to allow those to query your server.
acl "trust" { localhost; localnets; 192.168.0.0/24; 202.149.56.199; };
options {
directory "/var/named/zones";
allow-query { trust; };
allow-query-cache { trust; };
allow-transfer { none; };
allow-recursion { admin; };
listen-on { any; };
transfer-format many-answers;
interface-interval 0;
};
Now this works well for LAN, but 202.149.. can not get answer, If I change ACL admin to trust it works (only difference between them is 202 IP is not in admin)
So this I ask, does mean allow-query is useless now days?
Or is this only of any use if my server is also authoritative ?
Do I even need query since recursive decides who can query my server?
thanking you
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Barry Margolin
wrote:
> Hi,
> I have a bind server I now use as a caching.
>
> In allowing my work desktop to access i found that it was being refused using
> allow-query, but if i add it to recursion it works, have i mis-understood the
> use of allow-query? The Bind Admin Manual seems to say what I thought use it
> to allow those to query your server.
>
> acl "trust" { localhost; localnets; 192.168.0.0/24; 202.149.56.199; };
> options {
> directory "/var/named/zones";
> allow-query { trust; };
> allow-query-cache { trust; };
> allow-transfer { none; };
> allow-recursion { admin; };
> listen-on { any; };
> transfer-format many-answers;
> interface-interval 0;
> };
>
>
> Now this works well for LAN, but 202.149.. can not get answer, If I change
> ACL admin to trust it works (only difference between them is 202 IP is not in
> admin)
>
> So this I ask, does mean allow-query is useless now days?
> Or is this only of any use if my server is also authoritative ?
> Do I even need query since recursive decides who can query my server?
Allow-query allows the clients to query the zones that your server is
authoritative for.
Allow-recursion allows them to request recursion, which is needed to
look up names in remote zones.
Allow-query-cache allows them to query the data that's in the cache due
to some client previously requesting recursion.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
Chris Buxton
> Allow-query allows the clients to query the zones that your server is
> authoritative for.
>
> Allow-recursion allows them to request recursion, which is needed to
> look up names in remote zones.
>
> Allow-query-cache allows them to query the data that's in the cache
> due
> to some client previously requesting recursion.
That's not quite right.
allow-query governs who can send *any* query to the server, not just
queries against authoritative data. If a query is blocked by this ACL,
the response sent back is empty (no records), with the RCODE set to
REFUSED.
allow-recursion and allow-query-cache now default to behave like each
other. In other words, if one is set but not the other, the behavior
is as if both were set to the same ACL. Therefore, there's almost
never any reason to set allow-query-cache - just use allow-recursion
for both, unless you truly have a use for allowing someone access to
the cache who does not also have permission to send recursive queries
to the server.
allow-query-cache was added in BIND 9.4. Previously, the only control
on cached data was allow-query.
If a query is blocked by allow-query-cache, the response is REFUSED,
as with allow-query. If it passes allow-query-cache but is blocked by
allow-recursion (an unusual situation these days), the query is
handled as if it were not recursive.
The defaults if no values are set at all:
allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };
My guess is that the OP was being tripped up by the default for allow-
recursion.
Chris Buxton
Professional Services
Men & Mice
Noel Butler
--===============7652519518733553116==
Content-Type: multipart/alternative; boundary="=-QBLYUtPgRz3tQtbzIKgM"
--=-QBLYUtPgRz3tQtbzIKgM
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Tue, 2009-06-02 at 13:08 +1000, danti...@optusnet.com.au wrote:
> Hi,
> I have a bind server I now use as a caching.
>
> In allowing my work desktop to access i found that it was being refused using allow-query, but if i add it to recursion it works, have i mis-understood the use of allow-query? The Bind Admin Manual seems to say what I thought use it to allow those to query your server.
>
> acl "trust" { localhost; localnets; 192.168.0.0/24; 202.149.56.199; };
> options {
> directory "/var/named/zones";
> allow-query { trust; };
> allow-query-cache { trust; };
> allow-transfer { none; };
> allow-recursion { admin; };
> listen-on { any; };
> transfer-format many-answers;
> interface-interval 0;
> };
>
>
> Now this works well for LAN, but 202.149.. can not get answer, If I change ACL admin to trust it works (only difference between them is 202 IP is not in admin)
>
> So this I ask, does mean allow-query is useless now days?
> Or is this only of any use if my server is also authoritative ?
> Do I even need query since recursive decides who can query my server?
Chris summed it up well, so basically, remove the recursion control, yes
it defaults to allowing "any", but since your allow-query already guards
who can ask and get answers and who wont get answers, you don't really
need it, its over complicating your setup.
--=-QBLYUtPgRz3tQtbzIKgM
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.18.3">
</HEAD>
<BODY>
On Tue, 2009-06-02 at 13:08 +1000, danti...@optusnet.com.au wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Hi,
I have a bind server I now use as a caching.
In allowing my work desktop to access i found that it was being refused using allow-query, but if i add it to recursion it works, have i mis-understood the use of allow-query? The Bind Admin Manual seems to say what I thought use it to allow those to query your server.
acl "trust" { localhost; localnets; 192.168.0.0/24; 202.149.56.199; };
options {
directory "/var/named/zones";
allow-query { trust; };
allow-query-cache { trust; };
allow-transfer { none; };
allow-recursion { admin; };
listen-on { any; };
transfer-format many-answers;
interface-interval 0;
};
Now this works well for LAN, but 202.149.. can not get answer, If I change ACL admin to trust it works (only difference between them is 202 IP is not in admin)
So this I ask, does mean allow-query is useless now days?
Or is this only of any use if my server is also authoritative ?
Do I even need query since recursive decides who can query my server?
</PRE>
</BLOCKQUOTE>
<BR>
Chris summed it up well, so basically, remove the recursion control, yes it defaults to allowing "any", but since your allow-query already guards who can ask and get answers and who wont get answers, you don't really need it, its over complicating your setup.<BR>
<BR>
</BODY>
</HTML>
--=-QBLYUtPgRz3tQtbzIKgM--
--===============7652519518733553116==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============7652519518733553116==--