Evolution of Resolvers
Kevin Darcy
kcd at daimlerchrysler.com
Thu Dec 7 04:01:49 UTC 2000
With BIND 9's "view" mechanism, you could go a step further: define your
own root zone in the external view with a wildcard entry pointing to
some web site which would get *noticed* so that hopefully those morons
will fix their resolver configuration. If you want to be nice about it,
point it to a web page that says basically "please fix your resolver
configuration". If you're not that nice, or just too lazy to set up a
web page like that, point it a porno site, hate-group site, or something
similar.
- Kevin
Thomas Duterme wrote:
> Hi all,
>
> Thank you Mathias for all your help regarding Query
> Restrictions. I wanted to reopen
> a point he brougtht up to me to the list: the evolution of
> Resolvers.
>
> Myself being anal-retentive and over-protective of my
> servers, I'd like to lock out
> anyone who shouldn't be using my server to lookup names.
> Specifically, I'd like to kick
> out clients who don't have my permission to use my
> nameserver.
>
> so I do something like this:
>
> options {
> allow-query { my_machines; };
> allow-recursion { my_machines; };
> };
>
> then in the specific zones I'm authoritative for,
> I overwrite the allow-query statement:
>
> zone "madeforchina.com" in {
> allow-query { any; };
> type master;
> file "pri/madeforchina.com";
> };
>
> Now, Mathias brought up a good point about this. If there
> exists stupid resolvers
> out there who don't understand the 'Query Refused' response,
> and keep hammering
> my machine, perhaps it would be safer to just pass the
> reference to root through a
> non-recursive response. Has anyone had experience with kind
> of scenario? Any ideas or
> comments?
>
> Thanks,
> Thomas
More information about the bind-users
mailing list