Drop forwarded requests
Kevin Darcy
kcd at chrysler.com
Mon Dec 3 22:59:35 UTC 2007
gagadget at free.fr wrote:
> Hi listers,
>
> Is there a way to prevent BIND to answer frowarded requests ?
>
> For local uses, somebody has setup a DNS on our network ( very large network ),
> his server is forwarding all requests it can't answer. We asked him several
> times to shut down his server but he won't. For security reasons, we don't do
> forwarding on our servers so we would like to deny his forwarded requests
> without deny all his requests.
>
It's not clear what requests you want to block. What requests are you
getting from him that *aren't* forwarded requests? If you just want to
block recursive requests generally, you can use "allow-recursion" and/or
"allow-query-cache", as Barry suggested. Another option to look into
would be to set up an "empty" view solely for recursive clients -- that
would have the advantage of terminating the lookups, as opposed to a
REFUSED response which might result in the client just trying a
different resolver.
Or, as Danny Mayer pointed out, why are you trying to use a technical
band-aid on what is essentially an administrative problem? Your first
line of attack should be to get them to fix the bad behavior, although
I'm sympathetic to the fact that in a large corporation sometimes it's
difficult to get the right people on board for that kind of action...
- Kevin
More information about the bind-users
mailing list