On 1/25/2010 2:47 PM, Niall O'Reilly wrote:
Frank Stanek wrote:
I'm sorry but I don't quite understand what you mean. Could you
please elaborate this on the basis of this excerpt from our pac
file?
function FindProxyForURL(url, host)
{
var proxy1 = PROXY 192.168.240.29:8080;
var proxy2 = PROXY 172.16.1.30:8080;
if ( dnsDomainIs(host, .intern)
|| shExpMatch(url, *//localhost*)
|| shExpMatch(url, *//127*)
So far so good: you've tried to match part of the text of the
URL against each of those rules.
|| isInNet(host, 192.168.1.0, 255.255.255.0)
// more lines with subnets
Before applying this rule, your browser has to convert the
domain name given in the URL to an address, in order to check
whether the address belongs to the subnet. Since you've
chosen to block recursive name resolution, this rule will fail
except for domain names for which your name server is
authoritative; likewise for more lines with subnets.
Good analysis.
More generally,
1) isInNet() or any other function which causes constant DNS lookups is
bad from a DNS infrastructure point of view, and can run into caching
complications
2) any form of access control which involves turning off recursion for
particular clients is iffy, since stub resolvers don't react
consistently to unexpected lookup results such as referrals. It is
generally better to give a definitive REFUSED response, in order to make
one's intent clear. In BIND terms, that would be allow-query rather
than allow-recursion.
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
