Never the less, it seems dangerous to have allow-recusion {any; }; Why not at
least have a proper ACL that is limited to the internal IP segments? Surly you
know the internal IP ranges used? No?
But more to the original post. If your using a windows machine have you made
sure to clear your cache, after any reconfiguration you may have done?
ipconfig /flushdns
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true
For Linux(unix) if you are running the cache daemon it is
sudo /etc/init.d/nscd restart
> Date: Wed, 25 Sep 2013 16:32:50 -0400
> From: [email protected]
> To: [email protected]
> Subject: Re: weird perfmonce BIND version 9.6
> CC: [email protected]
>
>
> Alan,
>
> Apreciate the warning, these options are restricted in our
> public/internet facing servers.
>
> The server that had given us grief is in fact internal and only
> serves our internal addresses, and belive it or not the issue
> revolved around forwarder zones from peer networks that are private
> from the internet. Our desktops/linux workstations where not getting
> those peer-private dns requests even though the server had them.
>
> Our peer did something ultra special, a new private, unsanctioned
> TLD, just for use on the peer networks... its now impossible for us
> to function without forwarder records or explicitely allowing
> recursive queries on our internal and private network.
>
>
>
> On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
> >
> > On Sep 25, 2013, at 3:23 PM, Brian Cuttler <[email protected]> wrote:
> >
> > > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> > > necessary statements.
> > >
> > > recursion yes;
> > > allow-recursion { any; };
> > > allow-query { any; };
> > > allow-query-cache { any; };
> > >
> > > I realize your problem may be entirely different.
> >
> > And by doing this, you made yourself (again) an open recursive resolver
> > capable of being used as a DoS amplifier.
> >
> > Please don't use "any" in these ACLs. Set ACLs that include only the
> > address ranges that you control.
> >
> > This public service announcement brought to you by those that care about
> > the Internet.
> >
> > (but thanks from upgrading to a relatively new version of BIND)
> >
> > AlanC
> > --
> > Alan Clegg | +1-919-355-8851 | [email protected]
> >
>
>
> ---
> Brian R Cuttler [email protected]
> Computer Systems Support (v) 518 486-1697
> Wadsworth Center (f) 518 473-6384
> NYS Department of Health Help Desk 518 473-0773
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
