First and foremost, you need to upgrade your version of BIND. It is
vulnerable to the recent DNS cache poisoning vulnerability that I'm sure
you have heard about by now..

See http://www.isc.org/sw/bind/bind-security.php for more information.

Josh

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf Of Peter Laws
Sent: Wednesday, July 30, 2008 11:11 AM
To: bind-users@isc.org
Subject: Preventing recursion ... (preventing confusion?)

OK, so I'm not running *real* BIND, but Redhat's "special" version
(bind-9.2.4-22.el3).
On my authoritative servers, I have allow-query set to 'any' (has to be
that, of course) and allow-recursion set to an acl that allows just our
inside networks.

I *thought* that would allow folks to look up zones for which we were
authoritative and give the e-finger to anyone off-campus asking for
anything else.

Apparently that's not quite the case.

When I dig for, say, google.com from off-campus against my nameservers,
I
get one of two kinds of answers: From my master, I get A, NS, and glue
for
google.com. From my slaves, I get NS and glue only.

I thought, that by setting allow-recursion to my own little part of the
world, that any request for zones which I'm not authoritative would just

get (pick your analogy) a blank stare or the e-finger?

So, am I 1) confused about allow-recursion, 2) not correctly configured
(see also #1) or 3) looking at a bug in RH's diddling of BIND?

Peter

--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws@ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc@ou.edu. Thank you!