On 2012-10-26, Michel Blais <mic...@targointernet.com> wrote: > we must leave the DNS resovler allowed to everyone.
This is a *really* *really* bad idea. Since people started publishing dnssec-bloated zones, open DNS resolvers became a massive UDP packet amplification vector. > Since we are a small ISP, we also receive reverse DNS query that the > unbound server will answer instead of NSD. I could have use 2 differents > unit, one for unbound + one for NSD but with CARP for high avaibility > and since carp and virtualisation don't work from what I readed, it > would mean use 4 diffrents unit. So instead, we added NSD on the same > box that listen to a other port and use stub-zone so unbound query NSD > for our address reverse DNS. What's wrong with binding NSD to one IP address for authoritative queries, open to everyone, and binding your resolver to another address, only permitting users of your ISP?
