Date: Sat, 29 Jan 2000 14:09:45 -0600 (CST) From: Igor Roshchin <igor@physics.uiuc.edu> To: mccord@zytek.com (Samara McCord) Cc: phk@critter.freebsd.dk, sthaug@nethelp.no, fbsd-security@ursine.com, freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: <200001292009.OAA22881@alecto.physics.uiuc.edu> In-Reply-To: <200001291744.JAA36290@floozy.zytek.com> from "Samara McCord" at "Jan 29, 2000 9:44:53 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> >> Tell named to only recurse for your own IP range (takes code hacking).
> >
> >Not really. "allow-recursion" is your friend.
> >
> >options {
> > allow-recursion {
> > localnets;
> > x.y.z/24; // Other addresses allowed
> > };
> >};
> >
> >Requires BIND 8.2.1 or newer.
> >
>
> Thanks, this was helpful. Also, I've found that you can emulate this
> behavior on BIND 8.2 (which doesn't have allow-recursion) by the following:
>
> options {
> allow-query { localnets; }
> }
> zone "xxx.com" {
> type master;
> ...
> allow-query { any; }
> ...
> }
>
> This says that for queries within the authoritative zone, allow
> anything, but for all other queries, only allow specific IPs.
>
> Sam
>
First of all, thanks to everybody.
There were several helpful hints.
Second, let me point out the difference between the two methods
suggested above.
The second one is more difficult to implement if you have many
domains under your DNS control (you need to do that for every
domain).
However, the second method seems to provide more desired (?) result:
If you try to send an nslookup request about an outside domain
to the server from an outside host, it will respond as "query refused".
In the first case (using "allow-recursion"), the server will not
refuse the query, but rather will respond with the root-servers information.
I am not sure how all client-side software would react on such response,
but this type of response might not turn their resolvers away immediately.
Igor
PS. As a side note: does anybody know any type of a program/script
analogous to "adduser" for adding domain records to the DNS database ?
This is not related to this list, so, please respond directly.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001292009.OAA22881>