BIND DNS Server: Why “allow-query any” is Required for Domain Resolution and Security Considerations


2 views

When setting up a BIND DNS server on CentOS 6.0 (BIND version 9.7.0-P2), many administrators encounter a puzzling situation where domains fail to resolve unless allow-query is set to "any". Let's examine this behavior and explore proper configuration approaches.

The default BIND configuration typically includes:

allow-query { localhost; };

However, when changed to:

allow-query { any; };

The domain resolution suddenly works. This indicates either a networking or configuration issue that needs addressing.

When restricting queries to specific networks, you must ensure:

  • Proper network connectivity exists between clients and DNS server
  • Correct CIDR notation is used for network ranges
  • Firewall rules permit DNS traffic (UDP/TCP port 53)

For a server accessible by 10.0.1.0/24 network:

options {
    listen-on port 53 { any; };
    allow-query { 127.0.0.1; 10.0.1.0/24; };
    recursion no;
    allow-recursion { 127.0.0.1; 10.0.1.0/24; };
    dnssec-enable yes;
    dnssec-validation yes;
};

If resolution fails with restricted allow-query:

  1. Verify client IP is in allowed range: ip addr show
  2. Check connectivity: dig @server_ip domain.com
  3. Inspect query logs: tail -f /var/log/messages
  4. Test firewall: iptables -L -n -v

While allow-query { any; }; works, it exposes your server to:

  • DNS amplification attacks
  • Unauthorized zone transfers
  • Cache poisoning attempts

Always implement additional protections like:

allow-transfer { none; };
rate-limit { responses-per-second 10; };

For newer BIND versions (9.11+), consider:

options {
    allow-query { 127.0.0.1; 10.0.1.0/24; };
    allow-query-cache { 127.0.0.1; 10.0.1.0/24; };
    allow-recursion { 127.0.0.1; 10.0.1.0/24; };
    response-policy { zone "rpz"; };
};

When configuring BIND (Berkeley Internet Name Domain) as a DNS server, a common roadblock many administrators face is domain resolution failing unless allow-query is set to "any". Let's examine why this occurs and proper configuration approaches.

The allow-query directive specifies which clients are permitted to send DNS queries to your server. In your configuration:

// Original restrictive setting
// allow-query { localhost; };

// Working but insecure setting
allow-query { any; };

When set to localhost or 127.0.0.1; 10.0.1.0/24;, resolution fails because:

  • External clients outside these ranges are blocked
  • Network Address Translation (NAT) may alter source IPs
  • IPv6 queries might be originating from different addresses

Instead of opening to "any", specify your trusted networks:

options {
    listen-on port 53 { 192.168.1.10; }; // Your server's IP
    allow-query { 
        127.0.0.1; 
        192.168.1.0/24; 
        10.0.1.0/24;
    };
    // Other options...
};

After configuration changes:

  1. Check syntax: named-checkconf
  2. Reload BIND: service named reload
  3. Test from client: dig @your.server.example.com example.com

Ensure your firewall allows UDP/TCP 53 traffic from permitted networks:

iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s 192.168.1.0/24 -j ACCEPT

For complex setups, implement BIND views:

view "internal" {
    match-clients { 192.168.1.0/24; };
    recursion yes;
    zone "example.com" {
        type master;
        file "/var/named/internal/example.com.zone";
    };
};

view "external" {
    match-clients { any; };
    recursion no;
    zone "example.com" {
        type master;
        file "/var/named/external/example.com.zone";
    };
};