Knowledge Base ISC Main Website Ask a Question/Contact ISC
What's the difference between allow-query-cache and allow-recursion?
Author: ISC Support Reference Number: AA-00503 Views: 28070 Created: 2011-10-24 10:25 Last Updated: 2017-05-23 19:47 100 Rating/ 1 Voters

allow-query governs who can send any query to the server, not just  queries against authoritative data. If a query is blocked by this ACL, the response sent back is empty (no records), with the RCODE set to REFUSED.

allow-query-cache was added in BIND 9.4 (previously, the only access control on cached data was allow-query).  It is used to restrict who has access to records that are in cache (i.e. that have been learned by the recursive server via recursion).

If a query is blocked by allow-query-cache, the response is REFUSED,  as with allow-query. If it passes allow-query-cache but is blocked by allow-recursion (an unusual situation these days), the query is  handled as if it were not recursive.

allow-recursion and allow-query-cache default to behave like each other. In other words, if one is set but not the other, the behavior is as if both were set to the same ACL. Therefore, there's almost  never any reason to set allow-query-cache - just use allow-recursion  for both, unless you truly have a use for allowing someone access to the cache who does not also have permission to send recursive queries  
to the server.

The defaults if no values are set at all:

allow-query { any; };
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

allow-recursion does not override allow-query-cache

If you have some clients who are allowed to make recursive queries of your server, they will not be able to query the server if they are blocked by allow-query-cache.  Think of allow-query-cache as a gateway that client queries need to pass through first to be able to access cached answers; in addtion they need to pass through allow-recursion to have the server make recursive queries on their behalf as well.

(With thanks to Chris Buxton, then of Men and Mice, for the original explanation posted on bind-users mailing list from which this is adapted).

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu