Hi Glenn, >> Actually the current Bind in stable is just a blessing in this respect. >> It - by default- just allows recursion for localnet, localhost. > > This server is still Wheezy. The virtual websites didn't work on Jessie > Apache (I have no idea why yet). > >> So if you don't mess with it at all is does the right thing automagically. > >> Most likely if you remove anything you tried to configure in the options it >> will work just the way you want. > > I'd already done what Eduardo suggested in his post (config BIND to allow > recursion from only a specified list of IPs), and all was well -- as soon as > I tested it properly. > > FWIW, I ran dnstop for a while. I saw quite a bit of my own server at first, > but over few minutes, its output turned into a list of hits on my domains. > Almost all from the 52, 54 area (AWS). I don't know, but I assume dnstop is > looking at packets before iptables processes them. If not, something is still > badly broken.
If you configure BIND to just respond to local requests then dnstop might still see the requests coming from other ip numbers, BIND just might not respond to a recurvice query. AFAIK iptables has nothing to do with this. You cannot block dns requests at the iptables level as it cannot distinguish between a request for your own domain, to which BIND should respond, and a recursive request for another domain, which BIND should ignore. Bonno Bloksma
