weird perfmonce BIND version 9.6

Wed Sep 25 20:32:50 UTC 2013

Alan,

Apreciate the warning, these options are restricted in our
public/internet facing servers.

The server that had given us grief is in fact internal and only
serves our internal addresses, and belive it or not the issue
revolved around forwarder zones from peer networks that are private
from the internet. Our desktops/linux workstations where not getting
those peer-private dns requests even though the server had them.

Our peer did something ultra special, a new private, unsanctioned
TLD, just for use on the peer networks... its now impossible for us
to function without forwarder records or explicitely allowing
recursive queries on our internal and private network.

On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
> 
> On Sep 25, 2013, at 3:23 PM, Brian Cuttler <brian at wadsworth.org> wrote:
> 
> > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> > necessary statements.
> > 
> > recursion yes;
> > allow-recursion { any; };
> > allow-query     { any; };
> > allow-query-cache { any; };
> > 
> > I realize your problem may be entirely different.
> 
> And by doing this, you made yourself (again) an open recursive resolver capable of being used as a DoS amplifier.
> 
> Please don't use "any" in these ACLs.  Set ACLs that include only the address ranges that you control.
> 
> This public service announcement brought to you by those that care about the Internet.
> 
> (but thanks from upgrading to a relatively new version of BIND)
> 
> AlanC
> -- 
> Alan Clegg | +1-919-355-8851 | alan at clegg.com
> 

---
   Brian R Cuttler                 brian.cuttler at wadsworth.org
   Computer Systems Support        (v) 518 486-1697
   Wadsworth Center                (f) 518 473-6384
   NYS Department of Health        Help Desk 518 473-0773