Our DNS server occasionally get requests for recursion with forged src
addresses.
Currently our server returns "Standard query response, Refused" since
our named.conf
only allows recursion for our internal machines. This, of course,
results in the poor
machine whose address was forged receiving spurious traffic.
Some of the Cisco firewalls support DNS inspection and can be
configured to drop
requests which want recursion. What are the ramifications of enabling
this?
Can bind be configured to do this? I was thinking about something
like:
view "internal" {
match-clients { localhost; localnets; };
...
}
view "external-recursive" {
match-clients { any; };
match-recursive-only yes;
blackhole { any};
}
view "external" {
...
}
-- John
[EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
