LinuxSA Mailing list archives

  From: Michael Kratz <michael_kratz@hotmail.com>
  To  : <linuxsa@linuxsa.org.au>
  Date: Tue, 29 May 2001 18:23:47 +0930

Re: Bind dilemmas.

> > > It's difficult to see anything dodgy in there.
> >
> > I shouldn't be able to punch non-authorative requests through
> > your name server ...
>
>Daryl,
>
>I'm afraid I don't have any idea whether that should or should
>not be possible.
>Where would I read up on what my "named" _should_ do?
>I have the O'REilly BIND book, and have read lots of
>docs and manuals on BIND.
>But they just tell you what you _can_ do.


Umm, someone correct me if I am wrong, but doesnt the value
allow-recursion {xxx.xxx.xxx.xxx}; fix that, it only allows recursion 
(lookups by certain IP address ranges.

have a look in the man pages under ACL's
same as you should have allow-transfer {secondary ns ip addr's}

ie. see below, this is part of one of my BIND 8.2.3 conf files
(note the configs may be different for 9.1 but the principle is the same)

options {
     directory "/var/named";
     version "None of your business";
     forward first;
     forwarders {
           139.130.4.4;
           203.50.2.71;
                };
     allow-transfer {
           139.130.4.5;
           203.50.0.24;
           203.50.2.74;
           203.50.1.64/26;
                };
     allow-query { localhost; kingcc; };
     allow-recursion { localhost; kingcc; };
        };
logging {
     category statistics { null; };
     category lame-servers { null; };
     category cname { null; };
        };


Regards,

Michael
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject