From owner-freebsd-current@FreeBSD.ORG Thu Jun 8 07:15:59 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD3B16BD5B for ; Thu, 8 Jun 2006 04:43:19 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 307D443D69 for ; Thu, 8 Jun 2006 04:43:18 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 25408 invoked by uid 399); 8 Jun 2006 04:43:18 -0000 Received: from localhost (HELO ?192.168.0.3?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 8 Jun 2006 04:43:18 -0000 Message-ID: <4487AAE4.6020209@FreeBSD.org> Date: Wed, 07 Jun 2006 21:43:16 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.4 (X11/20060604) MIME-Version: 1.0 To: Maxim Konovalov References: <20060608015022.Y52876@mp2.macomnet.net> In-Reply-To: <20060608015022.Y52876@mp2.macomnet.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: current@freebsd.org Subject: Re: named recursive queries X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 07:16:01 -0000 Maxim Konovalov wrote: > [ Bikeshed zone ] > > I think we need to stop spread misconfigured named's too. Any > objections? Yes. :) The default named.conf already has the following: listen-on { 127.0.0.1; }; Which is a more effective solution to the problem. (Although you're not the first person to suggest this, so don't feel bad.) :) That said, BIND 9.4 is going to have a default for allow-recursion of "localhost; localnets;" which might be a good thing for us to make explicit now, so our users have a chance to get used to the idea. Comments? Doug > Index: named.conf > =================================================================== > RCS file: /home/ncvs/src/etc/namedb/named.conf,v > retrieving revision 1.22 > diff -u -p -r1.22 named.conf > --- named.conf 5 Sep 2005 13:42:22 -0000 1.22 > +++ named.conf 7 Jun 2006 21:56:26 -0000 > @@ -30,6 +30,13 @@ options { > // > // forward only; > > +// Prevent external networks from using us to query domains we are not > +// authoritative for. > +// > + allow-recursion { > + localhost; > + }; > + > // If you've got a DNS server around at your upstream provider, enter > // its IP address here, and enable the line below. This will make you > // benefit from its cache, thus reduce overall DNS traffic in the Internet. > -- This .signature sanitized for your protection