On Thu, Dec 17, 2009 at 10:16 PM, Cathy Almond <cat...@isc.org> wrote:
>
> There are three configuration settings that are relevant to what you're
> trying to do.
>
> allow-query - this controls who is allowed to query the nameserver at
> all. The default if undefined is to allow any.
>
> allow-recursion - this controls who is allowed to make recursive queries
> of your nameserver. Usually you don't want everyone to be able to do
> this which is why the default behaviour is restrictive.
>
> allow-query-cache - this one is subtle - it controls who is allowed to
> be given answers from cached data. That's not quite the same as
> allow-recursion because if the answer is not available in cache the
> nameserver won't go out to find it.
>
> Both allow-recursion and allow-query-cache default to each other (if one
> is specified but not the other).
>
> If neither is specified, but allow-query IS defined (in other words it
> doesn't just default), then they both use what is set in allow-query.
>
> If nothing at all is defined, then (with recursion yes;) they both
> default to { localhost; localnets; };
>
> Therefore to make recursion work for you, you need to configure one of
> allow-recursion and allow-query-cache.
>
> If you want to make a difference between access to cache and to
> recursion, then you need to configure both allow-query-cache and
> allow-recursion.
>
> Currently with none of them specified at all you are getting this:
>
> allow-query { any; };
> allow-query-cache { localhost; localnets; };
> allow-recursion { localhost; localnets; };
>
> The behaviour of all of these settings is described in the Administrator
> Reference Manual (ARM) which is distributed with BIND and is also
> available on the ISC website:
>
> https://www.isc.org/software/bind/documentation
>
Thanks Cathy.
Your explaining is so nice that I have fully understanded for it.
btw, is the current named secure enough even under the highest strict
environment (like a military application)?
Thanks again.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
