In article <[EMAIL PROTECTED]>, "Jeff Lightner" <[EMAIL PROTECTED]> wrote:
> I'm using 9.3.4-P1 (backported for the exploit) on RHEL5 so had to do it > this way. For later BIND versions you're correct based on the reading > I did at the time. I'm pretty sure allow-query has always worked the way I describe. If you're not allowed to query at all, it doesn't matter whether you're allowed to recurse. The query is rejected before it ever checks whether the client is in the recursion ACL. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Barry Margolin > Sent: Wednesday, July 30, 2008 10:55 PM > To: [email protected] > Subject: Re: Preventing recursion ... (preventing confusion?) > > In article <[EMAIL PROTECTED]>, > "Jeff Lightner" <[EMAIL PROTECTED]> wrote: > > > On my RHEL5 box the way I insured neither cache lookups nor recursive > > lookups would work for outsiders was modify named conf to have: > > > > 1) options section: > > allow-query { internaldns; externaldns; }; > > allow-recursion { internaldns; externaldns; }; > > Of course, if you're restricting allow-query, you don't need to specify > allow-recursion. Allow-recursion is only needed when it's more > restrictive than allow-query. -- Barry Margolin, [EMAIL PROTECTED] Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group ***
