preventing external use of nameserver for non-authoritative zones
Robin Stevens
robin.stevens at computing-services.oxford.ac.uk
Thu Feb 1 17:37:35 UTC 2001
I'm attempting to lock down our nameservers to prevent arbitrary hosts from
getting responses to arbitrary queries, as recommended by the CIAC bulletin
http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
Mostly, there's no problem: I can lock things down such that internal users
can use our servers for all requests, but external users may only use them
for the zones for which we are authoritative.
However, this presents a problem. Under ox.ac.uk, a handful of zones are
delegated to other nameservers within the University network, and the
number of such delegations will increase as Active Directory becomes more
popular. When requesting from these delegated zones at our main
nameservers, I find that the BIND will respond the first time it receives a
particular request, even to an external host, but will not respond to an
external host if the response has been cached, instead returning "REFUSED".
Is there a solution to this problem?
--
--------------- Robin Stevens <robin.stevens at oucs.ox.ac.uk> -----------------
Oxford University Computing Services http://www-astro.physics.ox.ac.uk/~rejs/
(+44)(0)1865: 726796 (home) 273212 (work) 273275 (fax) Mobile: 07776 235326
More information about the bind-users
mailing list