Basic Question re Security issue
Skeeve Stevens
skeeve at skeeve.org
Sat Jul 26 05:59:00 UTC 2008
Thanks for that, and my problem is now solved - I found the example @
http://support.menandmice.com/jforum/posts/list/25.page
I understand what the issue was now and yes, I was relying on the old
default.
Thing is, while I understand that running an open query DNS server is not an
ideal situation, I am not sure (assuming you are prepared to deal with the
bandwidth) what the actual problem is.
I understand the issue of the current security breach and the poisoning
attack against certain implementations of the DNS daemon, but assuming you
are running the latest safest version, is there anything actually wrong with
running an open DNS server?
...Skeeve
-----Original Message-----
From: Chris Buxton [mailto:cbuxton at menandmice.com]
Sent: Saturday, 26 July 2008 3:37 PM
To: skeeve at skeeve.org
Cc: comp-protocols-dns-bind at isc.org
Subject: Re: Basic Question re Security issue
What version of BIND did you upgrade from? If it was BIND 9.3.x or
earlier, then I think you have not created an allow-recursion
statement - you've been relying on the default of:
options {
allow-recursion { any; };
};
The new default is:
options {
allow-recursion { localhost; localnets; };
};
You probably just need to open that back up somewhat. Please do not
return your config to using an allow-recursion ACL of { any; }. Keep
it as limited as you can while allowing those you must allow.
Chris Buxton
Professional Services
Men & Mice
On Jul 25, 2008, at 7:27 PM, Skeeve Stevens wrote:
> OK, I upgraded to the latest binds (tried latest 9.4 and 9.5) and the
> compatibility with my current 9.4 config file seemed fine, except
> recursion
> broke.
>
> So.. for a quick explanation here.
>
> After we have the latest safe code, what config changes should we be
> making
> for everything to be ok?
>
> .Skeeve
>
> --
> Skeeve Stevens, RHCE
> skeeve at skeeve.org / www.skeeve.org
> Cell +61 (0)414 753 383 / skype://skeeve
>
> eintellego - skeeve at eintellego.net - www.eintellego.net
> --
> I'm a groove licked love child king of the verse
> Si vis pacem, para bellum
>
>
>
>
>
More information about the bind-users
mailing list