On 21 Jan 2014, at 02:12 , Mark Andrews <ma...@isc.org> wrote: >> If you have master/slave servers you should specify allow-recursion for your >> subnet instead, right? I'd you do this, you don't need to set forwarders, >> yes? > > Allow-recursion has no impact on master / slave zones.
OK, so in order to lock down your server agains DDOS DNS attacks you need to restrict the access to the recursive lookup, yes? But if you set 'recursion no;' then your own servers will not lookup IP addresses for, for example, you mail server to check reject_unknown_reverse_client_hostname or related. <http://www.zytrax.com/books/dns/ch9/close.html> Looking at that, if I am reading it correctly, I should have allow-recursion { "localnets"; } in the options on the master and slave DNS servers (along with any other specific IPs that I want to/need to allow). Given the risks in allowing recursion for the wilds of the Internet, how are companies like Google able to allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks? >> And finally, can you specify a slave DNS against a CNAME or must it have a rD >> NS and an A record? > > No. NS records need to refer to nodes with A and/or AAAA records. Reverse > DNS is irrelevent to the delegation. Thanks, I thought that was the case. -- "A thousand years ago we thought the world was a bowl. Five hundred years ago we knew it was a globe. Today we know it is flat and round carried through space on the back of a turtle. Don't you wonder what shape it will turn out to be tomorrow?" [Lord Vetinari] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users