DNS Recursion

[Star]

On 9/14/05, Kenneth E. Lussier <klussier at comcast.net> wrote:
> 
> Hi All,
> 
> I'm using BIND8 (8.4.6) as an external name server. I want to also use
> it as the name server for my external boxes. However, I can't seem to
> get recursion to work correctly.
> 
> If I use `allow-recursion {none; };` then dns lookups for my local zones
> works fine, but the external boxes can't use it to look up other
> domains.
> 
> If I use `allow-recursion { any; };` then anyone can use it as a DNS
> server.
> 
> I tried `allow-recursion { x.x.x.x; };` (x.x.x.x = external NAT IP
> address), but the query was denied with:
> named[2692]: denied recursion for query from [x.x.x.x].24684 for
> www.google.com <http://www.google.com> IN
> 
> I have also tried setting up acl external {}; with the ip addresses of
> the external hosts and using `allow-recursion { external; };`. This is
> also denied.
> 
> Is recursion an all or nothing option? I thought that it could take acl
> options. Any thoughts?
> 
> Thanks,
> Kenny
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQBDKEMGkqgbyiViKQ0RAigZAJ9K7J+04GYHxwSx5aeR0Krulf6zGQCglm0A
> GTNZ+Etb+cmFzqMCntU7zzU=
> =Jaou
> -----END PGP SIGNATURE-----
> 
> 
> Simplest thing I've done to guard from that is to use the allow query 
stanza...

allow-query {
// Only let mine see.
192.168.1.0/24 <http://192.168.1.0/24>;
};

You can use that globally, or if you're also using it to host other domains 
you can use

allow-query {
// anyone can see this domain.
any;
};

from within the domain setup.

It's worked for me, at any rate ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20050914/a7a7aedd/attachment.html