Reject cached answers
Sotiris Tsimbonis
tsimbonis at forthnet.gr
Thu Feb 1 13:46:36 UTC 2007
On 02/01/07 13:00, Stephane Bortzmeyer wrote:
> On Thu, Feb 01, 2007 at 01:18:40PM +0300,
> Wael Shahin <wael.shahin at gmail.com> wrote
> a message of 13 lines which said:
>
>> how can I prevent the replies that non-clients can get from my DNS servers
>
> You need BIND >= 9.4 and use the new directive allow-cache.
Or you can explicitly set allow-query { any; } in every zone you are
authoritative, and allow-query { your-internal-nets; } in the global
options section of named.conf.
Entries like the following will apear in the security logfile, which
confirm the desired result :)
security: client 213.92.80.163#1138: query (cache)
'www.aekwien.or.at/A/IN' denied
security: client 213.92.80.163#1138: query (cache)
'35.151.85.80.bl.spamcop.net/A/IN' denied
security: client 213.92.80.163#1138: query (cache) 'pandora.be/TXT/IN'
denied
security: client 213.92.80.163#1138: query (cache)
'skandia-3.ip.peterstar.net/MX/IN' denied
Sot.
More information about the bind-users
mailing list