Currently the box is running packet filter on freebsd.
I added:
antispoof log quick for em0 inet
but that did not trigger on any of the requests.
I am going to mess with views some time today, but if that doesn't stop
responses to requests from the outside, other then our domains, we will
move our domains back our registrar and let them do the publishing and only
use our dns servers for caching/recursing for our internal people and block
it from the outside.
On Thu, Jan 31, 2013 at 12:41 AM, Dmitri Tarkhov <tark...@dionaholding.ru>wrote:
> One very simple question - do you filter spoofed IPs
> at your firewalls?
> And, BTW, a lot of other must be stuff, like ports 135-139 ...
> (but that's another story)
>
> Personally I reject spoofed IPs even without logging.
>
>
> They are more then likely spoofed IP's and
>> someone is using our servers to attack people.
>>
>
> rich carroll wrote:
>
> acl "trusted" {
>> xxx.xxx.xxx.0/20;
>> xxx.xxx.xxx.0/23;
>> xxx.xxx.xxx.0/22;
>> xx.xxx.xxx.0/23;
>> xx.xxx.xxx.0/23;
>> xx.xxx.xxx.0/23;
>> x.xx.xxx.0/21;
>> x.xx.xx.0/24;
>> xxx.xxx.xxx.0/24;
>> localhost;
>> localnets;
>> };
>>
>> options {
>> // Relative to the chroot directory, if any
>> directory "/etc/namedb";
>> pid-file "/var/run/named/pid";
>> dump-file "/var/dump/named_dump.db";
>> statistics-file "/var/stats/named.stats";
>> allow-recursion { "trusted"; };
>> allow-query { any; };
>> allow-query-cache { "trusted"; };
>>
>> Its standard conf with the default stuff in it as well as a 24 zones or so
>> in it.
>>
>>
>>
>> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr <sjc...@gmail.com> wrote:
>>
>>
>> So the response you received wasn't recursed ";; WARNING: recursion
>>> requested but not available", so at least that ACL is holding up, but
>>> it could be that the response you got is still being served from your
>>> DNS server's cache. Can you share the exact configuration statements
>>> you have implemented for allow-recursion and allow-query-cache and are
>>> these options in the view stanza or in the global options?
>>>
>>> Best practice is that authoritative and recursive DNS servers should
>>> be completely separate.
>>>
>>> Steve
>>>
>>>
>>
>>
>>
>>
>> ------------------------------**------------------------------**
>> ------------
>>
>>
>> ______________________________**_________________
>> Please visit
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>>
>
> --
> Best regards,
> Dmitri Tarkhov
>
>
> ______________________________**_________________
> Please visit
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>
--
Richard Carroll
richcarr...@gmail.com
785-288-1144
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
