ip forwarding DNS 9.6.0
Mark Andrews
Mark_Andrews at isc.org
Tue Apr 7 23:44:41 UTC 2009
In message <D7656C59-094F-4B37-B3CC-4496DB3AFB38 at cs.moravian.edu>, myron writes:
> I started reading up on Kirk's suggestions of the allow-*** settings.
> In the global options level
> I put
> options {
> directory "/etc/dns";
> allow-query-cache { any; };
> allow-query { any; };
> auth-nxdomain yes;
> };
>
> and that definitely worked. By no means do I understand the paragraph
> below from the README.
> I need to mull over it for a while and determine where the options
> should go, whether globally or in a view
> and whether "any" is the right setting.
Basically there are people using recursive DNS servers as
amplifiers in DoS attacks by sending forged UDP queries.
By restricting who can get access to the cache you reduce
the effect of such queries to just anonymising the original
query source.
The defaults were changed so that only locally connected
nets get recursive service and access to the cache. This
default is right for a large majority of the users of named.
You should expand allow-query-cache to include all the
networks you want to offer recursive service to.
Mark
> Thanks for all the help.
>
> --myron
> =================================
> Myron Kowalski
> MoCoSIN Network/Systems Administrator
> Moravian College
> myron at cs.moravian.edu
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list