From owner-freebsd-security  Mon Apr 22 12:13: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lily.ezo.net (lily.ezo.net [206.102.130.13])
	by hub.freebsd.org (Postfix) with ESMTP id 8DAAA37B416
	for <freebsd-security@FreeBSD.ORG>; Mon, 22 Apr 2002 12:13:04 -0700 (PDT)
Received: from peony.ezo.net (peony.ezo.net [206.102.130.11])
	by lily.ezo.net (8.11.6/8.11.6) with ESMTP id g3MGbxZ53270;
	Mon, 22 Apr 2002 12:37:59 -0400 (EDT)
	(envelope-from jflowers@ezo.net)
From: "Jim Flowers" <jflowers@ezo.net>
To: Tim Wilde <twilde@dyndns.org>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: DNS Question
Date: Mon, 22 Apr 2002 12:38:27 -0400
Message-Id: <20020422123827.M47851@ezo.net>
In-Reply-To: <Pine.GSO.4.44.0204221202580.25336-100000@quartz.bos.dyndns.org>
References: <20020422114506.M42132@ezo.net> <Pine.GSO.4.44.0204221202580.25336-100000@quartz.bos.dyndns.org>
X-Mailer: Open WebMail 1.60 20020130
X-OriginatingIP: 24.93.230.119 (jflowers)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

That is true, of course but you can't turn recursion off when you are using a 
single server for both resolver service (for trusted hosts) and general 
lookup service for the world-at-large for your authoritative zones.

The best setup uses two services, one with recursion that can be used by 
trusted users and the other without that will allow queries to only the 
authorized zones.  I have not been able to get both servers to run on a 
single host (with a single ip address) so the best I can do is the method 
described.

It is interesting that for a small ISP we reject thousands of queries to our 
dns servers that are not from our subscribers or for our authorized zone 
records.

> 
> The allow-recursion { }; statement within the options { }; 
> block is more correct to use to limit recursion, I'm pretty 
> sure it's available in BIND 8, and it definitely is in BIND 
> 9.  DNS & BIND is a very good resource, as is the BIND ARM 
> that ships in the doc/ dir of the BIND distribution.
> 
> Tim Wilde
> 
> -- 
> Tim Wilde
> twilde@dyndns.org
> Systems Administrator
> Dynamic DNS Network Services
> http://www.dyndns.org/


--
Jim Flowers<jflowers@ezo.net>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message