Thanks very much to everyone who replied and explained this set of problems in such detail to me. It's now clear as day and of course you are correct. You have made my day. :-)
As for "allow-query" instead of "allow-recursion" - I see what you mean, the stub resolvers seem to react differently to "recursion not available" than they do for flat out "refused", especially when there are more than one name servers configured. However I cannot refuse because the clients still need to be able to resolve our zones. I will work something out for this, so thanks for that hint as well. Regards Frank ----- Originalnachricht ----- Von: "Kevin Darcy" <k...@chrysler.com> Gesendet: Die, 26.1.2010 00:08 An: bind-users@lists.isc.org Betreff: Re: AW: Disabling recursion causes browser hangs on clients with auto proxy config On 1/25/2010 2:47 PM, Niall O'Reilly wrote: > Frank Stanek wrote: >> I'm sorry but I don't quite understand what you mean. Could you >> please elaborate this on the basis of this excerpt from our pac >> file? >> >> function FindProxyForURL(url, host) >> { >> var proxy1 = "PROXY 192.168.240.29:8080"; >> var proxy2 = "PROXY 172.16.1.30:8080"; >> if ( dnsDomainIs(host, ".intern") >> || shExpMatch(url, "*//localhost*") >> || shExpMatch(url, "*//127*") > > So far so good: you've tried to match part of the text of the > URL against each of those rules. > >> || isInNet(host, "192.168.1.0", "255.255.255.0") >> // more lines with subnets > > Before applying this rule, your browser has to convert the > domain name given in the URL to an address, in order to check > whether the address belongs to the subnet. Since you've > chosen to block recursive name resolution, this rule will fail > except for domain names for which your name server is > authoritative; likewise for "more lines with subnets". > Good analysis. More generally, 1) isInNet() or any other function which causes constant DNS lookups is bad from a DNS infrastructure point of view, and can run into caching complications 2) any form of access control which involves turning off recursion for particular clients is iffy, since stub resolvers don't react consistently to unexpected lookup results such as referrals. It is generally better to give a definitive REFUSED response, in order to make one's intent clear. In BIND terms, that would be "allow-query" rather than "allow-recursion". - Kevin _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users