For a change, this is a case of security restrictions being too tight,
however it results in hosts "disappearing" from visible DNS for users of
large parts of the net.
If you setup nameservers so that only specified netblocks can make
general recursive queries using the global "allow-query{ acl-query; };
parameter, but also serve domains/zonefiles from the same server with
"allow-query { any; };", then things work well _except_ under the
following circumstance:
If you have a dns entry which is a CNAME to a zonefile/domain not served
from the same nameserver
(eg: www.fred.com IN CNAME fredssite.someotherisp.com)
then if queried for the CNAME, the nameserver will refuse to answer the query.
The end result is that non-local lookups for www.fred.com fail in most
circumstances, as the originating site resolver doesn't seem to do a
full DNS lookup procedure on fredssite.someotherisp.com, but continues
to ask the nameserver it just queried about www.fred.com for data on
fredssite.someotherisp.com.
The only time I've found that a lookup for www.fred.com. will work is if
fredssite.someotherisp.com is already cached in the nameserver making
the query.
This was tested with bind 8.1.2 and the associated lookup tools (host,
dig, etc) running on the querying and nameserving hosts.
Workarounds:
1: leave your nameservers wide open to recursive queries from anywhere
on the net.
or
2: disallow CNAMES pointing to domains not supplied from the same nameserver.
Both have their problems:
Immediately after locking our nameservers down to only allow general
queries from authorised netblocks, I found what appeared to be an entire
ISP dialin pool in another country hammering the servers.
Disallowing offsite CNAMEs means that one must be kept informed whenever
another provider changes IPs for offsite hosts you point to, and those
changes must be attended to locally asap.
This was forwarded to bind-bugsat_private about a week ago with no response.
AB
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:36 PDT