high volume from outside our networks question

Mark Andrews marka at isc.org
Wed Jan 30 21:54:55 UTC 2013 

In message <CAOvd2ajEoGnmBkJj7doU9QuE2XKt4iz6+LrkO2_1W3zUSTiu-w at mail.gmail.com>
, rich carroll writes:
> 
>  acl "trusted" {
>      xxx.xxx.xxx.0/20;
>      xxx.xxx.xxx.0/23;
>      xxx.xxx.xxx.0/22;
>      xx.xxx.xxx.0/23;
>      xx.xxx.xxx.0/23;
>      xx.xxx.xxx.0/23;
>      x.xx.xxx.0/21;
>      x.xx.xx.0/24;
>      xxx.xxx.xxx.0/24;
>      localhost;
>      localnets;
>  };
> 
> options {
>     // Relative to the chroot directory, if any
>     directory    "/etc/namedb";
>     pid-file    "/var/run/named/pid";
>     dump-file    "/var/dump/named_dump.db";
>     statistics-file    "/var/stats/named.stats";
>     allow-recursion { "trusted"; };
>     allow-query    { any; };
>     allow-query-cache { "trusted"; };
> 
> Its standard conf with the default stuff in it as well as a 24 zones or so
> in it.
> 
> 
> 
> On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr <sjcarr at gmail.com> wrote:
> 
> > So the response you received wasn't recursed ";; WARNING: recursion
> > requested but not available", so at least that ACL is holding up, but
> > it could be that the response you got is still being served from your
> > DNS server's cache. Can you share the exact configuration statements
> > you have implemented for allow-recursion and allow-query-cache and are
> > these options in the view stanza or in the global options?
> >
> > Best practice is that authoritative and recursive DNS servers should
> > be completely separate.
> >
> > Steve
> 
> 
> 
> -- 
> Richard Carroll
> richcarroll at gmail.com
> 785-288-1144

You should be getting "REFUSED" responses.   With the following
acls named returns REFUSED.

        allow-recursion { localhost; 2001:470:1f00:820::/64; };
        allow-query-cache { localhost; 2001:470:1f00:820::/64; };

/usr/local/bin/dig -4 ssss.com @drugs

; <<>> DiG 9.9.2-P1 <<>> -4 ssss.com @drugs
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44936
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ssss.com.			IN	A

;; Query time: 71 msec
;; SERVER: 192.168.191.223#53(192.168.191.223)
;; WHEN: Thu Jan 31 08:51:58 2013
;; MSG SIZE  rcvd: 37


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list