"Recursive no;" implications?

[Steven Carr]

On 22 January 2014 05:29, LuKreme <kremels at kreme.com> wrote:
> OK, so in order to lock down your server agains DDOS DNS attacks you need to restrict the access to the recursive lookup, yes? But if you set 'recursion no;' then your own servers will not lookup IP addresses for, for example, you mail server to check reject_unknown_reverse_client_hostname or related.
> Looking at that, if I am reading it correctly, I should have
> allow-recursion { "localnets"; }

So yes that is an option to restrict which IPs can perform recursion
by using an ACL. A better option (and better overall design) would be
to split your DNS servers, leave the current DNS servers as
authoritative only and install a second set of DNS servers as a
caching layer allowing recursion and do not have any direct inbound
access from the Internet. All internal clients point to the caching
layer.

> in the options on the master and slave DNS servers (along with any other specific IPs that I want to/need to allow). Given the risks in allowing recursion for the wilds of the Internet, how are companies like Google able to allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks?

Well they probably are being subjected to DDoS all the time, but
Google uses their own DNS implementation so more than likely they have
written in functionality to rate-limit and block specific
clients/requests. They also have a lot of bandwidth and they have a
lot of servers, using Anycast for distribution.
http://en.wikipedia.org/wiki/Google_Public_DNS