From owner-freebsd-questions Sun Nov 10 10: 3:14 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AB9637B401 for ; Sun, 10 Nov 2002 10:03:13 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B43D43E6E for ; Sun, 10 Nov 2002 10:03:12 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gAAI39pj085068 for ; Sun, 10 Nov 2002 18:03:09 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gAAI34DJ085063 for freebsd-questions@FreeBSD.ORG; Sun, 10 Nov 2002 18:03:04 GMT Date: Sun, 10 Nov 2002 18:03:04 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: BIND Message-ID: <20021110180304.GB84752@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: <200211101351.GAADP3S77820@asarian-host.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211101351.GAADP3S77820@asarian-host.net> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-1.4 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_05_08,USER_AGENT, USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Nov 10, 2002 at 02:50:59PM +0100, Mark wrote: > I was experimenting with BIND (8.3.3) on FreeBSD. I got everything pretty > much set up properly. Then I came up with the idea to allow outside queries > for my own domain names, but to disallow outsiders to use my name servers to > resolve the world. So, I did this: > > zone "." { > type hint; > file "named.root"; > allow-query { trusted; }; > }; What you want is: options { [...] allow-recursion { trusted; }; }; which will default to denying recursion to anyone except your own trusted machines, but still allow queries to any zone you're authoritative for. There's no point in putting much in the way of access control on the '.' hint zone, but you should investigate the use of allow-query { };, allow-transfer { }; or even allow-recursion { }; on a per-zone basis for your other zones. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message