> >
> > I think it is always a good idea that if you have an external facing
> > dns server that you disable recursive lookups on it. I don't know what
> > sort of situation you're in, but I would normally recommend two
> > different servers, one for the internal network (read: not externally
> > accessible), and one for the external network (read: internet
> > accessible). However, depending on your situation, if you only have
> > one server to dedicate for this, you can set it so that it only allows
> > recursive lookups for internal IP addresses:
> >
> > allow-recursion { 127.0.0.1; 192.168.0.0/24; };
> >
> > in the options section of your bind config.

>
> Even so, with this line in my bind config a query from a remote host
> fails. However, if I fire that same query from the internal network it
> succeeds.
>
> This is intended.
>
> If you then retest that query from the remote host it also succeeds.
>
> So initial queries fail, but succesfull queries from the internal lan will
> build a cache and it will even return those results to a remote host
> quering for that same name. Not sure if that was intended or not.
>
> This in Bind 9.2.1 which is shipped with debian. 3.1


Upgrade. BIND 9.2.1 is ancient.

> Kind regards,
>
> Seth
>
>


allow-recusion { acl; };
allow-query { acl; };

zone ... {
...
allow-query { any; };
};

...

zone ... {
...
allow-query { any; };
};

9.4.0 has allow-query-cache.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org