I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
I googled this to death with no real suggestions. I've tried it with
ACL and without.
Any suggestions would be appreciated.
Marco
acl "internal" {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
};
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
"localnets"; "localhost"; };
//allow-recursion { "internal"; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
"localnets"; "localhost"; };
listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version "8.2.3-REL";
};
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
