Axel Rau <axel....@chaos1.de> wrote:
> I have,
>
> allow-query { any; };
> allow-query-cache { recursive-users; };
> allow-recursion { recursive-users; };
>
> How can I make sure that none recursive-users get a REFUSED if query is
> recursive?
Weird! I think your config should do what you want so I wonder why it
isn't working. Your server is responding to the problem queries with a
referral from the root zone, so have you configured your server with a
local authoritative copy of the root?
There's a broader issue here:
Usually when you have a server that is providing recursive service to
anyone, it is best to set the allow-query ACL to cover just your users, so
everyone else gets REFUSED.
This means that your recursive server cannot also be used as an
authoritative server advertised in NS records. Your public authoritative
servers should be authoritative-only and not offer recursion to anyone.
> PS: I want to minimize the responses to this amplification attack:
Ooh, RRSIG queries are fun. They are like a stealth ANY query.
BIND has several tools for dealing with this kind of junk:
* RRL is very effective
* minimal-any also minimizes responses to RRSIG queries
* minimal-responses can also help to reduce packet sizes
Your server is responding with a referral from the root, so minimal-any
won't have any effect on the response. And because it's a referral, the
glue etc. is not optional, so there's nothing that minimal-responses can
omit. So in your situation the most useful things to do would be:
* tighten up your allow-query ACL
* if you can't do that, use RRL (you can add recursive-users to the
exempt-clients list)
* configure separate views for recursive-users and others; do not
include the root zone in your external view
Tony.
--
f.anthony.n.finch <d...@dotat.at> https://dotat.at/
The Minch: North 6 or 7, backing northwest 3 to 5. Rough or very rough
at first northeast of skye, otherwise slight or moderate. Wintry
showers. Good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
