Re: ip forwarding DNS 9.6.0

Thu, 09 Apr 2009 16:44:19 -0700 

In message <83f1e37b-72bd-4454-8c2d-4fa91d5fc...@cs.moravian.edu>, myron writes
:
> On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
> 
> >
> > In message <d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu>,  
> > myron writes:
> >> I started reading up on Kirk's suggestions of the allow-*** settings.
> >> In the global options level
> >> I put
> >> options {
> >>         directory       "/etc/dns";
> >>         allow-query-cache { any; };
> >>         allow-query { any; };
> >>         auth-nxdomain   yes;
> >> };
> >>
> >> and that definitely worked. By no means do I understand the paragraph
> >> below from the README.
> >> I need to mull over it for a while and determine where the options
> >> should go, whether globally or in a view
> >> and whether "any" is the right setting.
> >
> >     Basically there are people using recursive DNS servers as
> >     amplifiers in DoS attacks by sending forged UDP queries.
> >     By restricting who can get access to the cache you reduce
> >     the effect of such queries to just anonymising the original
> >     query source.
> >
> >     The defaults were changed so that only locally connected
> >     nets get recursive service and access to the cache.  This
> >     default is right for a large majority of the users of named.
> >     You should expand allow-query-cache to include all the
> >     networks you want to offer recursive service to.
> >
> >     Mark
> 
> I think I got it right. I just changed "any" to my network. It works.
> 
> options {
>          directory       "/etc/dns";
>          allow-query-cache { int-net; };
>          allow-query { int-net; };

        allow-query would normally be "any;" as you are normally
        publishing zones to the world.

>          auth-nxdomain   yes;
> };
> 
> >
> >
> >> Thanks for all the help.
> >>
> >> --myron
> >> =================================
> >> Myron Kowalski
> >> MoCoSIN Network/Systems Administrator
> >> Moravian College
> >> my...@cs.moravian.edu
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
> 
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to