ip forwarding DNS 9.6.0
Mark Andrews
Mark_Andrews at isc.org
Thu Apr 9 22:51:40 UTC 2009
In message <83F1E37B-72BD-4454-8C2D-4FA91D5FC4DA at cs.moravian.edu>, myron writes
:
> On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
>
> >
> > In message <D7656C59-094F-4B37-B3CC-4496DB3AFB38 at cs.moravian.edu>,
> > myron writes:
> >> I started reading up on Kirk's suggestions of the allow-*** settings.
> >> In the global options level
> >> I put
> >> options {
> >> directory "/etc/dns";
> >> allow-query-cache { any; };
> >> allow-query { any; };
> >> auth-nxdomain yes;
> >> };
> >>
> >> and that definitely worked. By no means do I understand the paragraph
> >> below from the README.
> >> I need to mull over it for a while and determine where the options
> >> should go, whether globally or in a view
> >> and whether "any" is the right setting.
> >
> > Basically there are people using recursive DNS servers as
> > amplifiers in DoS attacks by sending forged UDP queries.
> > By restricting who can get access to the cache you reduce
> > the effect of such queries to just anonymising the original
> > query source.
> >
> > The defaults were changed so that only locally connected
> > nets get recursive service and access to the cache. This
> > default is right for a large majority of the users of named.
> > You should expand allow-query-cache to include all the
> > networks you want to offer recursive service to.
> >
> > Mark
>
> I think I got it right. I just changed "any" to my network. It works.
>
> options {
> directory "/etc/dns";
> allow-query-cache { int-net; };
> allow-query { int-net; };
allow-query would normally be "any;" as you are normally
publishing zones to the world.
> auth-nxdomain yes;
> };
>
> >
> >
> >> Thanks for all the help.
> >>
> >> --myron
> >> =================================
> >> Myron Kowalski
> >> MoCoSIN Network/Systems Administrator
> >> Moravian College
> >> myron at cs.moravian.edu
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list