[BlueOnyx:11629] Re: BIND config

Barry Mishkind barry at oldradio.com
Fri Oct 26 22:21:52 -05 2012 

Hello Michael,

Thanks to you and the others for your help thus far.

>>         And I can confirm that this option does have an effect. Unchecking it may stop recursion, but it also stops all outgoing email ... saying
>>         "host unknown"
>
>Yes, please see "[BlueOnyx:11627] Re: BIND config". 

        I've checked that, and in /var/named/c*****/***/named.conf 
        we see:
options {
  directory "/var/named";
  // spoof version for a little more security via obscurity
  version "100.100.100";
  // no forwarders defined
  allow-transfer { 208.XX.XXX.XX; 208.XX.XXX.xx0; };
  allow-recursion { 127.0.0.1/30; 208.xx.XXX.0/24; };
  // recursion allowed
};

The allow transfer is the DNS from the ISP, virtbiz, the allow-recursion is local host and my server's IP block.

>Your server needs to use at least one DNS server that answers to all DNS related queries. If your BlueOnyx uses your own DNS server and you disable recursion, then your DNS server will only answer DNS related queries for domains or IP's that your DNS server has records for. So if you try to send an email to xxxxxxx at gmail.com and your server has no records for gmail.com, then it'll say that it has no records for that domain. And the email delivery will fail.
>
>>         Forwarding servers:  No entry
>>         Zone Transfer Access by IP Address:
>>                 208.xx.xx.xx
>>                 208.xx.xx.xx0
>>                 65.xxx.xx.xx
>>                 209.xxx.xx.xx
>>         and
>>         Query Request Recursion Access by IP Address:
>>                 127.0.0.1/30
>>                 208.xx.xxx.x/24
>
>Zone transfer access and recursion access are two entirely different
>pair of shoes.
>
>"Zone Transfer Access" defines which DNS servers can pull the entire
>zone files from your DNS servers. This is useful if you have one master
>DNS server and one or more slaves. On the master you say: IP of the
>slave may do zone transfers. And the slave can then just "clone" the DNS
>records by doing zone transfers.

        To be honest, I am not entirely sure of the 65.xxx and 209.xx,
        but believe them to be one or another of the backup mail
        servers...

>"Query Request Recursion Access" defines which IP addresses or network
>address ranges can ask your DNS server for IP's and domains that you do
>not have records for. So into that field you'd add all the IP's and
>address ranges of servers that use your DNS server to resolve DNS
>related queries.

        That should be OK, as I basically have only one IP address in play.

        I know I"m missing something here ... am I leaving some
        important item out?

        thanks again.
        barry

More information about the Blueonyx mailing list