allow-recursive question
Jim Reid
jim at rfc1035.com
Wed Mar 30 10:14:27 UTC 2005
>>>>> "Mariano" == Mariano Cunietti <mcunietti at enter.it> writes:
Mariano> Should I disable recursive queries for users outside my
Mariano> networks?
YES! Nobody should be offering recursive DNS service to IP addresses
outside their network. Open DNS service like that is almost as bad as
an open mail relay. Of course authoritative name servers have to
accept (non-recursive) queries from everywhere. These servers however
should not be offering recursive service.
Mariano> Would there be any side effect?
Not for your customers. The freeloaders wouldn't get DNS service from
you any more. Which is how it should be. They have no business sending
their recursive queries to your name servers. Unless there was some
prior agreement in place that you don't know about.
It might be an idea to warn these freeloaders that you're going to
stop them using your name servers, if only to prevent them telling
their customers it's your fault the internet stopped working.
Mariano> Which is a common policy for ISP's about allowing
Mariano> external users to submit recursive queries?
There's no documented policy AFAIK. Feel free to write one and submit
it to dnsops or a technical operator forum like RIPE. Common sense
would indicate that an ISP should only provide recursive DNS service
for its paying customers.
More information about the bind-users
mailing list