Alan,
Apreciate the warning, these options are restricted in our
public/internet facing servers.
The server that had given us grief is in fact internal and only
serves our internal addresses, and belive it or not the issue
revolved around forwarder zones from peer networks that are private
from the internet. Our desktops/linux workstations where not getting
those peer-private dns requests even though the server had them.
Our peer did something ultra special, a new private, unsanctioned
TLD, just for use on the peer networks... its now impossible for us
to function without forwarder records or explicitely allowing
recursive queries on our internal and private network.
On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
>
> On Sep 25, 2013, at 3:23 PM, Brian Cuttler <br...@wadsworth.org> wrote:
>
> > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> > necessary statements.
> >
> > recursion yes;
> > allow-recursion { any; };
> > allow-query { any; };
> > allow-query-cache { any; };
> >
> > I realize your problem may be entirely different.
>
> And by doing this, you made yourself (again) an open recursive resolver
> capable of being used as a DoS amplifier.
>
> Please don't use "any" in these ACLs. Set ACLs that include only the address
> ranges that you control.
>
> This public service announcement brought to you by those that care about the
> Internet.
>
> (but thanks from upgrading to a relatively new version of BIND)
>
> AlanC
> --
> Alan Clegg | +1-919-355-8851 | a...@clegg.com
>
---
Brian R Cuttler brian.cutt...@wadsworth.org
Computer Systems Support (v) 518 486-1697
Wadsworth Center (f) 518 473-6384
NYS Department of Health Help Desk 518 473-0773
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
