On 21 Jan 2014, at 02:12 , Mark Andrews <ma...@isc.org> wrote:

>> If you have master/slave servers you should specify allow-recursion for your 
>> subnet instead, right? I'd you do this, you don't need to set forwarders, 
>> yes?
> 
> Allow-recursion has no impact on master / slave zones.

OK, so in order to lock down your server agains DDOS DNS attacks you need to 
restrict the access to the recursive lookup, yes? But if you set 'recursion 
no;' then your own servers will not lookup IP addresses for, for example, you 
mail server to check reject_unknown_reverse_client_hostname or related.

<http://www.zytrax.com/books/dns/ch9/close.html>

Looking at that, if I am reading it correctly, I should have

allow-recursion { "localnets"; }

in the options on the master and slave DNS servers (along with any other 
specific IPs that I want to/need to allow). Given the risks in allowing 
recursion for the wilds of the Internet, how are companies like Google able to 
allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks?

>> And finally, can you specify a slave DNS against a CNAME or must it have a rD
>> NS and an A record?
> 
> No.  NS records need to refer to nodes with A and/or AAAA records.  Reverse
> DNS is irrelevent to the delegation.

Thanks, I thought that was the case.

-- 
"A thousand years ago we thought the world was a bowl. Five hundred
years ago we knew it was a globe. Today we know it is flat and round
carried through space on the back of a turtle. Don't you wonder what
shape it will turn out to be tomorrow?" [Lord Vetinari]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to