From owner-freebsd-security  Mon Apr 22 12:58:59 2002
Delivered-To: freebsd-security@freebsd.org
Received: from quartz.bos.dyndns.org (quartz.bos.dyndns.org [66.37.215.2])
	by hub.freebsd.org (Postfix) with ESMTP id 65C4137B427
	for <freebsd-security@FreeBSD.ORG>; Mon, 22 Apr 2002 12:58:56 -0700 (PDT)
Received: from quartz.bos.dyndns.org (twilde@localhost [127.0.0.1])
	by quartz.bos.dyndns.org (8.12.2/8.12.2) with ESMTP id g3MG4WuH007880;
	Mon, 22 Apr 2002 12:04:32 -0400 (EDT)
Received: from localhost (twilde@localhost)
	by quartz.bos.dyndns.org (8.12.2/8.12.2/Submit) with ESMTP id g3MG4VUJ007866;
	Mon, 22 Apr 2002 12:04:32 -0400 (EDT)
X-Authentication-Warning: quartz.bos.dyndns.org: twilde owned process doing -bs
Date: Mon, 22 Apr 2002 12:04:31 -0400 (EDT)
From: Tim Wilde <twilde@dyndns.org>
X-X-Sender: twilde@quartz.bos.dyndns.org
To: Jim Flowers <jflowers@ezo.net>
Cc: Mario Lobo <Mlobo@ear.com.br>, <freebsd-security@FreeBSD.ORG>
Subject: Re: DNS Question
In-Reply-To: <20020422114506.M42132@ezo.net>
Message-ID: <Pine.GSO.4.44.0204221202580.25336-100000@quartz.bos.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 22 Apr 2002, Jim Flowers wrote:

> You don't say what version but assuming 8.x.x there are a number of options
> to help.  Read Chapter 10 of the DNA & BIND book.  Particularly, you can
> configure your dns to be useful as a resolver to only your trusted addresses
> with option allow-query {trusted-addresses;} while at the same time allowing
> everyone access to your authoritative zones with an allow-query {any;} entry
> in each of your authoritative zone files.

The allow-recursion { }; statement within the options { }; block is more
correct to use to limit recursion, I'm pretty sure it's available in BIND
8, and it definitely is in BIND 9.  DNS & BIND is a very good resource, as
is the BIND ARM that ships in the doc/ dir of the BIND distribution.

Tim Wilde

-- 
Tim Wilde
twilde@dyndns.org
Systems Administrator
Dynamic DNS Network Services
http://www.dyndns.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message