question about allow-notify
ivan jr sy
ivan_jr at yahoo.com
Thu Jul 17 16:27:02 UTC 2008
--- On Fri, 7/18/08, aklist <aklist_bind at enigmedia.com> wrote:
> From: aklist <aklist_bind at enigmedia.com>
> Subject: question about allow-notify
> To: bind-users at isc.org
> Date: Friday, July 18, 2008, 3:52 AM
> Hi All: Pretty basic question...I have a master NS on a
> public IP and have a
> slave NS (Bind 9.5.0-P1) behind a NAT'd router
> (192.168.1/24). The master is
> sending notifies to the slave, but the slave is refusing
> the notifies
> because they're coming from the router's gateway IP
> (192.168.1.1) and not
> the IP of the primary NS.
>
> If I add the gateway IP to the allow-notify statement on
> the slave, that
> will just allow it to acknowledge the notify, and then load
> the zone from
> the primary NS in the zone statement, correct? IOW, is
> there any risk to
> adding allow-notify from the gateway IP? Obviously any
maybe you're right, but the DNS NOTIFY message states that the DNS server will be notified to initiate a zone transfer from its master, well of course the slave will query the SOA first.. So unless that will be a DDOS of DNS NOTIFY messages to your (internal) slave server then all it will do is just query the SOA RR of that zone from the master(s) over and over..
> computer in the world
> would be able to send it notifies at that point? Is there a
> potential DOS in
> this approach, and is there a better way to handle it?
best way to handle is to use TSIG keys..
1. create a TSIG key
2. create an ACL with the value of the key
2. and use that ACL for the allow-notify statement.
More information about the bind-users
mailing list