Use allow-query on primary servers?
Cricket Liu
cricket at acmebw.com
Tue Dec 21 19:41:18 UTC 1999
> Not really, though explicitly blocking systems that are being nasty
> would be reasonable. If you try to define a set of trusted hosts that
> are allowed to query your name servers, you probably lose. How are you
> going to predict which hosts and users on the internet will lookup
> your domain(s) and the IP addresses of the name servers or resolvers
> they will use? This is only do-able when the name servers live behind
> a firewall and there's tight control over the nets that get routed
> over the internal network.
The technique Martin described *is* a good idea: Limiting
queries for domain names not in your authoritative zones.
Turning recursion off is somewhat more effective, if you
can do it, but his isn't a bad solution.
Martin, what sorts of weird responses are you seeing?
cricket
Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com
Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class! See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.
More information about the bind-users
mailing list