Deny??

[Barry Margolin]

In article <37CD43D6.487F06CF at cisco.com>,
Michael Voight  <mvoight at cisco.com> wrote:
>
>
>Barry Margolin wrote:
>> 
>> In article <37CC8932.7C615AB2 at cisco.com>,
>> Michael Voight  <mvoight at cisco.com> wrote:
>> >Simply block inbound access to tcp and udp port 53 on your router.
>> 
>> That would prevent use of his nameserver for the domains he *does*
>> administer on it -- cutting off his nose to spite his face.
>
>I thought he wanted to block outside. People from getting to his
>nameserver. I could have misread this :)

You may be right.  In that case, the solution is to use the "allow-query"
option in named.conf to restrict who can perform recursive queries.  If the
server is the registered authority for any zones, it will still have to
allow anyone to query in those domains, so it will need "allow-query
{any;}" in those zone statements.

If it's a caching-only nameserver, then blocking inbound access to port 53
will also do it (assuming it's running BIND 8 -- BIND 4 used port 53 as the
source port for recursive queries, so you had to allow this back in).

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.