recursive lookups-followup

Re: recursive lookups-followup

From:

Date:

Time:

At 1:56 AM -0500 9/7/03, billc_lists@greenbuilder.com wrote:
>At 11:52 AM -0800 12/13/02, Men & Mice Support wrote:
>>If you want to limit zone transfer access, you should limit it to
>>(a) slave servers and (b) machines where you run diagnostic
>>software.
>>
>>If you want to limit recursive query access, be sure to allow all
>>client machines to have access - any machine which should have this
>>server's IP address listed in their TCP/IP settings as a name
>>server.
>
>Is there a way to list a range to allow/disallow?

You can specify a subnet. For a Bind-based name server, use
router-style notation, such as "192.168.1/24" or "192.168.1.0/24".

Note that, if you specify any rule other than the default "allow
any", the default changes to "deny any". That is, any address not
explicitly allowed by your ruleset will be denied.

>If I choose "localnets", I suspect that will only include those
>machines on the local network of the QDNS server, and won't include
>any machines behind a router/firewall that use a local network (ie,
>real IP address 205.238.x.y on the same subnet as QDNS is the public
>address for all machines behind the router/firewall, with IPs
>192.168.0.1-192.168.0.255). So I would therefore have to manually
>enter up to 255 "allows" for each such local network?

Keep in mind that, as far as the DNS server is concerned, all those
requests come from the NAT server. So since the DNS server is outside
of the private subnet, you don't have to specify private addresses at
all.
____________________________________________________________________
Chris Buxton Men & Mice
Customer Support Specialist Making DNS Easy

Sales:
888/4-DPOINT

Support:
858/452-3696