On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
In message <d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu>,
myron writes:
I started reading up on Kirk's suggestions of the allow-*** settings.
In the global options level
I put
options {
directory "/etc/dns";
allow-query-cache { any; };
allow-query { any; };
auth-nxdomain yes;
};
and that definitely worked. By no means do I understand the paragraph
below from the README.
I need to mull over it for a while and determine where the options
should go, whether globally or in a view
and whether "any" is the right setting.
Basically there are people using recursive DNS servers as
amplifiers in DoS attacks by sending forged UDP queries.
By restricting who can get access to the cache you reduce
the effect of such queries to just anonymising the original
query source.
The defaults were changed so that only locally connected
nets get recursive service and access to the cache. This
default is right for a large majority of the users of named.
You should expand allow-query-cache to include all the
networks you want to offer recursive service to.
Mark
I think I got it right. I just changed "any" to my network. It works.
options {
directory "/etc/dns";
allow-query-cache { int-net; };
allow-query { int-net; };
auth-nxdomain yes;
};
Thanks for all the help.
--myron
=================================
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
