Use allow-query on primary servers?
Martin Horneffer
Horneffer at rrz.Uni-Koeln.DE
Wed Dec 22 08:17:28 UTC 1999
Cricket Liu wrote:
> The technique Martin described *is* a good idea: Limiting
> queries for domain names not in your authoritative zones.
> Turning recursion off is somewhat more effective, if you
> can do it, but his isn't a bad solution.
Just turning off recursion doesn't prevent certain DoS attacks that
exploit the fact that DNS replies can be larger than queries.
> Martin, what sorts of weird responses are you seeing?
I tried this once for our domain "uni-koeln.de" on our primary server
134.95.100.209, but quickly turned it off again.
Queries concerning our zones were correctly let through where the
queried
name exists. But when asked for a non-existent name within our domain,
our nameserver answered "Query refused" instead of "Non-existent
host/domain". E.g.:
linus:~% nslookup foo.uni-koeln.de 134.95.100.209
Server: noc.rrz.Uni-Koeln.DE
Address: 134.95.100.209
*** noc.rrz.Uni-Koeln.DE can't find foo.uni-koeln.de: Query refused
linus:~%
Martin
--
Martin Horneffer -- Horneffer at rrz.uni-koeln.de
More information about the bind-users
mailing list