On 16/04/13 14:28, Denis Laventure wrote:
Instead of blocking the source (which aren't even real - they're
spoofed) why not just block access to your recursive resolver on port 53.
I need my DNS server to resolve for my authoritative domain, I have 30+ domains
here I can't block acces to port 53.
(replying on-list for posterity)
Ah, it's a shared auth/recursive. In which case that's probably the best
you can do. Just be aware these IPs are probably spoofed - they are the
victims - so you should have some process to expire them over time.
FWIW this is one reason not to mix auth/recursive on the same server; it
tempts you to use the same IP.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
