Search Again: Re: Only allow certain clients to do lookups From: Men & Mice Support Date: Tuesday, October 26, 2004 Time: 11:22:54 pm At 10:16 PM -0700 10/26/04, Scott Haneda wrote: >on 10/26/04 9:43 PM, Men & Mice Support at cbuxton@menandmice.com wrote: > >> At 9:31 PM -0700 10/26/04, Scott Haneda wrote: >>> on 10/26/04 9:21 PM, Men & Mice Support at cbuxton@menandmice.com wrote: >>> >>>> You can enter a range, in subnet notation, or you can enter a single >>>> IP. Open the server's Options window and click on "Query >>>> restrictions", then modify the list (which currently says "allow >>>> any"). >>> >>> Does allow localnets mean anything within my subnet range? I had it set to >>> just localhost which you would assume would certianly block me out here in >>> comcast land, I was still able to get a answer from the server via dig, how >>> can I prove to myself that this is working? >> >> Look at the "flags" section of the response to a dig command. If "ra" >> (recursion available) is present, then it's not working. >> >> In general, I have found the "localhost" and "localnets" values to be >> unreliable. > >Do I run the dig command with a @server.domain.com arg and would it be good >to run it with the +norecurse option as well? This will work: dig @server +norecurse You could leave off the "+norecurse", but that would introduce the possibility that your server wouldn't answer. >If I have it set right, would this mean I should not be able to load any new >domains no my local workstation here? As it is now, I told it to deny all >and I am still able to load websites. Do you have any other DNS servers listed in your TCP/IP settings? >Also, to confirm, in the transfer restrictions, I have now set that to only >have two entries, one for each of the two slave machines that are slaving >all my domains. Can you see any reason I need to add any other IP's to >allow zone transfers? No, unless you use DNS Expert or some other analyzer to check your zones. >Also, to understand query restrictions, what is it that I am restricting >here? Is this only going to stop others from using my DNS server as a local >resolver, Yes. > or will deny all stop my entire server from working? No, that would not be very useful (though BIND does have this type of configuration option as well). >I tried to >read about this in the manual, but it is somewhat vague as to what it really >does. My guess is the entire world will at some time or another need to ask >something of my DNS server, so this settings mere existence confuses me >other than to block known abusers? Use this setting to permit authorized users to send recursive queries to your server (meaning, permit authorized users to ask your server to do work). Anyone else's query will have the "rd" flag (recursion desired) ignored. Chris Buxton Men & Mice - Making DNS Easy Customer Service and Sales Engineer

Messages In This Thread: Only allow certain clients to do lookups by Scott Haneda on Oct 26, 2004 at 8:44:53 pm Re: Only allow certain clients to do lookups by Men & Mice Support on Oct 26, 2004 at 9:22:53 pm Re: Only allow certain clients to do lookups by Scott Haneda on Oct 26, 2004 at 9:32:15 pm Re: Only allow certain clients to do lookups by Men & Mice Support on Oct 26, 2004 at 9:44:46 pm Re: Only allow certain clients to do lookups by Scott Haneda on Oct 26, 2004 at 10:17:54 pm Re: Only allow certain clients to do lookups by mattb on Oct 26, 2004 at 10:33:13 pm Re: Only allow certain clients to do lookups by Men & Mice Support on Oct 26, 2004 at 11:22:54 pm Re: Only allow certain clients to do lookups by Scott Haneda on Oct 27, 2004 at 12:23:35 am Re: Only allow certain clients to do lookups by Men & Mice Support on Oct 27, 2004 at 11:46:40 am