Open DNS Server
Seth Mos
seth.mos at xs4all.nl
Sat Aug 12 13:59:41 UTC 2006
>
> I think it is always a good idea that if you have an external facing
> dns server that you disable recursive lookups on it. I don't know what
> sort of situation you're in, but I would normally recommend two
> different servers, one for the internal network (read: not externally
> accessible), and one for the external network (read: internet
> accessible). However, depending on your situation, if you only have
> one server to dedicate for this, you can set it so that it only allows
> recursive lookups for internal IP addresses:
>
> allow-recursion { 127.0.0.1; 192.168.0.0/24; };
>
> in the options section of your bind config.
Even so, with this line in my bind config a query from a remote host
fails. However, if I fire that same query from the internal network it
succeeds.
This is intended.
If you then retest that query from the remote host it also succeeds.
So initial queries fail, but succesfull queries from the internal lan will
build a cache and it will even return those results to a remote host
quering for that same name. Not sure if that was intended or not.
This in Bind 9.2.1 which is shipped with debian. 3.1
Kind regards,
Seth
More information about the bind-users
mailing list