On 22 January 2014 05:29, LuKreme <krem...@kreme.com> wrote: > OK, so in order to lock down your server agains DDOS DNS attacks you need to > restrict the access to the recursive lookup, yes? But if you set 'recursion > no;' then your own servers will not lookup IP addresses for, for example, you > mail server to check reject_unknown_reverse_client_hostname or related. > Looking at that, if I am reading it correctly, I should have > allow-recursion { "localnets"; }
So yes that is an option to restrict which IPs can perform recursion by using an ACL. A better option (and better overall design) would be to split your DNS servers, leave the current DNS servers as authoritative only and install a second set of DNS servers as a caching layer allowing recursion and do not have any direct inbound access from the Internet. All internal clients point to the caching layer. > in the options on the master and slave DNS servers (along with any other > specific IPs that I want to/need to allow). Given the risks in allowing > recursion for the wilds of the Internet, how are companies like Google able > to allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS > attacks? Well they probably are being subjected to DDoS all the time, but Google uses their own DNS implementation so more than likely they have written in functionality to rate-limit and block specific clients/requests. They also have a lot of bandwidth and they have a lot of servers, using Anycast for distribution. http://en.wikipedia.org/wiki/Google_Public_DNS _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users