high volume from outside our networks question
Mark Andrews
marka at isc.org
Wed Jan 30 21:54:55 UTC 2013
In message <CAOvd2ajEoGnmBkJj7doU9QuE2XKt4iz6+LrkO2_1W3zUSTiu-w at mail.gmail.com>
, rich carroll writes:
>
> acl "trusted" {
> xxx.xxx.xxx.0/20;
> xxx.xxx.xxx.0/23;
> xxx.xxx.xxx.0/22;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> xx.xxx.xxx.0/23;
> x.xx.xxx.0/21;
> x.xx.xx.0/24;
> xxx.xxx.xxx.0/24;
> localhost;
> localnets;
> };
>
> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-recursion { "trusted"; };
> allow-query { any; };
> allow-query-cache { "trusted"; };
>
> Its standard conf with the default stuff in it as well as a 24 zones or so
> in it.
>
>
>
> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr <sjcarr at gmail.com> wrote:
>
> > So the response you received wasn't recursed ";; WARNING: recursion
> > requested but not available", so at least that ACL is holding up, but
> > it could be that the response you got is still being served from your
> > DNS server's cache. Can you share the exact configuration statements
> > you have implemented for allow-recursion and allow-query-cache and are
> > these options in the view stanza or in the global options?
> >
> > Best practice is that authoritative and recursive DNS servers should
> > be completely separate.
> >
> > Steve
>
>
>
> --
> Richard Carroll
> richcarroll at gmail.com
> 785-288-1144
You should be getting "REFUSED" responses. With the following
acls named returns REFUSED.
allow-recursion { localhost; 2001:470:1f00:820::/64; };
allow-query-cache { localhost; 2001:470:1f00:820::/64; };
/usr/local/bin/dig -4 ssss.com @drugs
; <<>> DiG 9.9.2-P1 <<>> -4 ssss.com @drugs
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44936
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ssss.com. IN A
;; Query time: 71 msec
;; SERVER: 192.168.191.223#53(192.168.191.223)
;; WHEN: Thu Jan 31 08:51:58 2013
;; MSG SIZE rcvd: 37
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list