Re: allow-recursion and acls

In article <cs3tve$252h$1@sf1.isc.org>,
Jim Mozley <jim.mozley@exponential-e.com> wrote:

> I have a problem with implementing an ACL that restricts recursive
> queries. If I allow recursive queries from any networks all is OK, if I
> try to restrict it to certain networks I can see in the logs that
> recursion is refused for queries from legitimate IP address.
>
> 12-Jan-2005 10:54:33.238 security: notice: denied recursion for query
> from [62.244.x.x].12422 for www.ishop.co.uk IN

Since you x'ed out the third octet of the address, we can't tell whether
this address is within 62.244.160.0/19. Is that octet between 160 and
191?

> Can anyone see anything wrong with the configuration below?
>
> I am running bind 8.4.4.
>
> This is OK:
>
> acl our-nets { any; };
> allow-recursion { our-nets; };
>
> This seems to cause the problems:
>
> acl our-nets { localhost;
> 62.244.160.0/19;
> 83.244.128.0/17;
> };
> allow-recursion { our-nets; };
>
> I have the ACLs in an include file, which is included at the beginning
> of named.conf before the options directive.
>
> Jim

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***