question about allow-notify
Mark Andrews
Mark_Andrews at isc.org
Thu Jul 17 23:38:24 UTC 2008
> Hi All: Pretty basic question...I have a master NS on a public IP and have a
> slave NS (Bind 9.5.0-P1) behind a NAT'd router (192.168.1/24). The master is
> sending notifies to the slave, but the slave is refusing the notifies
> because they're coming from the router's gateway IP (192.168.1.1) and not
> the IP of the primary NS.
>
> If I add the gateway IP to the allow-notify statement on the slave, that
> will just allow it to acknowledge the notify, and then load the zone from
> the primary NS in the zone statement, correct? IOW, is there any risk to
> adding allow-notify from the gateway IP? Obviously any computer in the world
> would be able to send it notifies at that point? Is there a potential DOS in
> this approach, and is there a better way to handle it?
This will work or you could reconfigure your NAT to not
muck with the source addresses of DNS queries. This behaviour
is usually configurable.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list