On Fri, 2007-01-19 at 13:02 +1300, joshua sahala wrote:
Joe Abley wrote:
Throw on an ACL to restrict recursive lookups (and to deny queries, if the servers aren't also authority servers) and the problem frequently goes away.
I'd be interested to see a working BIND 9 ACL to restrict recursion to certain clients only.
in named.conf:
acl "localonly" { 192.168.1.0/24; ... 192.168.250.0/24; };
options {
....
allow-recursion { "localonly"; };
....
};
see the BIND admin reference manual for more info (or one of the many howtos available on teh intarwebs)
/joshua
Is there a significant difference between doing this and setting up two different BIND "views"? I'm currently using two view, one for our internal networks, and one for external networks, with an ACL to decide which view applies and recursion disabled for the external view. I've noticed that with a "views" configuration, the external view is very slow to update (the servers are run as slaves) when the master is updated. The internal view updates almost immediately, but it can be up to an hour or so before queries hitting the external view get the up-to-date records. Would I be losing anything important if I switched to just using the allow-recursion ACL? I suspect views might have been designed for a different configuration scenario... -- --Michael Fincham Unleash Technology Solutions