ip forwarding DNS 9.6.0
myron
kowalskM at cs.moravian.edu
Thu Apr 9 12:56:27 UTC 2009
On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
>
> In message <D7656C59-094F-4B37-B3CC-4496DB3AFB38 at cs.moravian.edu>,
> myron writes:
>> I started reading up on Kirk's suggestions of the allow-*** settings.
>> In the global options level
>> I put
>> options {
>> directory "/etc/dns";
>> allow-query-cache { any; };
>> allow-query { any; };
>> auth-nxdomain yes;
>> };
>>
>> and that definitely worked. By no means do I understand the paragraph
>> below from the README.
>> I need to mull over it for a while and determine where the options
>> should go, whether globally or in a view
>> and whether "any" is the right setting.
>
> Basically there are people using recursive DNS servers as
> amplifiers in DoS attacks by sending forged UDP queries.
> By restricting who can get access to the cache you reduce
> the effect of such queries to just anonymising the original
> query source.
>
> The defaults were changed so that only locally connected
> nets get recursive service and access to the cache. This
> default is right for a large majority of the users of named.
> You should expand allow-query-cache to include all the
> networks you want to offer recursive service to.
>
> Mark
I think I got it right. I just changed "any" to my network. It works.
options {
directory "/etc/dns";
allow-query-cache { int-net; };
allow-query { int-net; };
auth-nxdomain yes;
};
>
>
>> Thanks for all the help.
>>
>> --myron
>> =================================
>> Myron Kowalski
>> MoCoSIN Network/Systems Administrator
>> Moravian College
>> myron at cs.moravian.edu
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list