Deny??
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Sep 1 14:11:03 UTC 1999
Per Michael Voight:
> Simply block inbound access to tcp and udp port 53 on your router.
>
> Michael Voight
>
> Derrick Stinson wrote:
> > How do you deny unauthroized use of your nameserver ??? Ie: someone out
> > side my domain or class c has setup a www.whatever.com that is pointing
> > to my nameservers???
I didn't answer this because I was not sure what Mr. Stinson MEANT.
Links do not point to name servers, in general, unless the name server
is also a Web server. The link may point to something inside your
domain, in which case the lookup - via your name server - is a
legitimate use, since presumably your name server is out there to tell
us how to translate your hosts' names to IP addresses. Of course, how
would you KNOW that all of the references from all over the world came
because the users saw your host name in that one Web page? (The
references would never be seen as coming from the Web server, but from
the Web clients.)
If your name server is out there only to serve your local community,
and you don't WANT anybody "out there" on the Internet to know any of
the information served by or gathered by the name server, simply use
options {
...
allow-query { ... };
...
};
to restrict the ability to query to your own domain, or to whatever you
believe is appropriate.
If you can't do this because you have a BIND 4 name server, then get a
BIND 8 name server. It's worth it for the increased security and
flexibility.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list