If you allow remote servers to query your recursive servers (even if you only allow RD=0 access to your authoritative zones), then it's very easy for miscreants to deny service to your users. My resolvers reject TCP connections from outside our network to avoid this issue, amongst other techniques.
Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Northwest Viking: Northeasterly 6, veering southeasterly 4 or 5 later. Rough, becoming moderate later. Rain. Good, occasionally poor.
