Reject cached answers
Wael Shahin
wael.shahin at gmail.com
Fri Feb 2 09:18:46 UTC 2007
> On 02/01/07 13:00, Stephane Bortzmeyer wrote:
>> On Thu, Feb 01, 2007 at 01:18:40PM +0300,
>> Wael Shahin <wael.shahin at gmail.com> wrote
>> a message of 13 lines which said:
>>
>>> how can I prevent the replies that non-clients can get from my DNS
>>> servers
>>
>> You need BIND >= 9.4 and use the new directive allow-cache.
>
> Or you can explicitly set allow-query { any; } in every zone you are
> authoritative, and allow-query { your-internal-nets; } in the global
> options section of named.conf.
yes that did it, thank you
> Entries like the following will apear in the security logfile, which
> confirm the desired result :)
>
> security: client 213.92.80.163#1138: query (cache)
> 'www.aekwien.or.at/A/IN' denied
> security: client 213.92.80.163#1138: query (cache)
> '35.151.85.80.bl.spamcop.net/A/IN' denied
> security: client 213.92.80.163#1138: query (cache) 'pandora.be/TXT/IN'
> denied
> security: client 213.92.80.163#1138: query (cache)
> 'skandia-3.ip.peterstar.net/MX/IN' denied
>
> Sot.
>
>
More information about the bind-users
mailing list