For a change, this is a case of security restrictions being too tight, however it results in hosts "disappearing" from visible DNS for users of large parts of the net. If you setup nameservers so that only specified netblocks can make general recursive queries using the global "allow-query{ acl-query; }; parameter, but also serve domains/zonefiles from the same server with "allow-query { any; };", then things work well _except_ under the following circumstance: If you have a dns entry which is a CNAME to a zonefile/domain not served from the same nameserver (eg: www.fred.com IN CNAME fredssite.someotherisp.com) then if queried for the CNAME, the nameserver will refuse to answer the query. The end result is that non-local lookups for www.fred.com fail in most circumstances, as the originating site resolver doesn't seem to do a full DNS lookup procedure on fredssite.someotherisp.com, but continues to ask the nameserver it just queried about www.fred.com for data on fredssite.someotherisp.com. The only time I've found that a lookup for www.fred.com. will work is if fredssite.someotherisp.com is already cached in the nameserver making the query. This was tested with bind 8.1.2 and the associated lookup tools (host, dig, etc) running on the querying and nameserving hosts. Workarounds: 1: leave your nameservers wide open to recursive queries from anywhere on the net. or 2: disallow CNAMES pointing to domains not supplied from the same nameserver. Both have their problems: Immediately after locking our nameservers down to only allow general queries from authorised netblocks, I found what appeared to be an entire ISP dialin pool in another country hammering the servers. Disallowing offsite CNAMEs means that one must be kept informed whenever another provider changes IPs for offsite hosts you point to, and those changes must be attended to locally asap. This was forwarded to bind-bugsat_private about a week ago with no response. AB
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:36 PDT