BIND9 negative cache after timeout.
Simon Waters
Simon at wretched.demon.co.uk
Tue Aug 5 13:49:40 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan Gyselinck wrote:
> On Thu, Jul 03, 2003 at 09:47:21AM +1000, Mark_Andrews at isc.org wrote:
>
>> And it is also a easy one to prevent. Don't have a wide
>> open caching server. Apply anti-spoofing filters at the
>> IP level.
>
>
> It helps somewhat, but that's not preventing the problem.
> You don't need a wide open resolver to get this. Enough
> customers that use the resolver are enough to hit this often
> enough too.
Mark is addressing the question of deliberate attack. Ultimately you can
make any service unusuable if it doesn't restrict your clients (or
others) ability to use it.
Have you tried upping the "recursive client" limit to a value more
suitable for your number of clients?
> there are lots of stubresolvers out there that keep
> querying for the same name if it doesn't resolve (ServFail and
> friends).
If you can identify it log a bug report for the application re: RFC1123.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/L7XyGFXfHI9FVgYRAkieAJ9jtXS2BHHVBNJPDRRXS9zVFg8D+QCfcsgu
h2Ui2MDvTspsGFUDgtmS7HQ=
=4y62
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list