From owner-freebsd-security  Sat Jan 29  8:55:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200])
	by hub.freebsd.org (Postfix) with SMTP id 7877E14E74
	for <freebsd-security@FreeBSD.ORG>; Sat, 29 Jan 2000 08:55:01 -0800 (PST)
	(envelope-from cjohnson@palomine.net)
Received: (qmail 14219 invoked by uid 1000); 29 Jan 2000 16:54:51 -0000
Date: Sat, 29 Jan 2000 11:54:51 -0500
From: Chris Johnson <cjohnson@palomine.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Continual DNS requests from mysterious IP
Message-ID: <20000129115451.A14160@palomine.net>
References: <200001290842460680.22E3EFC9@quaggy.ursine.com> <13429.949164414@critter.freebsd.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <13429.949164414@critter.freebsd.dk>; from Poul-Henning Kamp on Sat, Jan 29, 2000 at 05:46:54PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Jan 29, 2000 at 05:46:54PM +0100, Poul-Henning Kamp wrote:
> In message <200001290842460680.22E3EFC9@quaggy.ursine.com>, "Michael Bryan" wri
> tes:
> >
> >
> >On 1/29/00 at 8:34 AM Samara McCord wrote:
> >
> >>But this also brings up my other
> >>point.  Correct me if I'm wrong, but my DNS servers shouldn't ever have
> >>to deliver the MX records for aol.com (or any domain for which I don't
> >>serve), except to my own internal machines and for my own customers, right?
> >
> >If somebody has manually setup their system to use you as a DNS resolver,
> >then you will get packets for any and all DNS requests they make, no matter
> >where they are on the Internet.  Not a very smart way to do things, mind
> >you, but I've seen it before, usually from customers of mine who moved a
> >computer from work or another ISP and kept their old DNS settings.  I don't
> >think that's what's going on in your case, though...
> 
> Tell named to only recurse for your own IP range (takes code hacking).

Or use dnscache/tinydns instead of named. It's new, written by Dan Bernstein
(the author of qmail), and it'll give you control over who gets to request what
from your name servers.  It's also small, secure, simple, etc., like qmail is.
I'm completely BIND-free now, and haven't had any problems whatsoever.

http://cr.yp.to/dnscache.html

Chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message