From owner-freebsd-security Sat Jan 29 12:31:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 2213D160C1 for ; Sat, 29 Jan 2000 12:31:33 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id VAA14540; Sat, 29 Jan 2000 21:30:58 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: sthaug@nethelp.no Cc: igor@physics.uiuc.edu, mccord@zytek.com, fbsd-security@ursine.com, freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP In-reply-to: Your message of "Sat, 29 Jan 2000 21:23:17 +0100." <2806.949177397@verdi.nethelp.no> Date: Sat, 29 Jan 2000 21:30:58 +0100 Message-ID: <14538.949177858@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <2806.949177397@verdi.nethelp.no>, sthaug@nethelp.no writes: >> However, the second method seems to provide more desired (?) result: >> If you try to send an nslookup request about an outside domain >> to the server from an outside host, it will respond as "query refused". >> In the first case (using "allow-recursion"), the server will not >> refuse the query, but rather will respond with the root-servers information. > >This is on purpose. The idea of the "allow-recursion" option is to limit >the amount of work that a disallowed client can ask from your server. This >means that it will either return a referral, or an answer from its cache. >But it will *not* perform any new queries on behalf of a disallowed client. > >The amount of work to return a "query refused" is about the same as that >of returning a referral or an answer from the cache. Yes, but "query refused" might have the advantage of signalling the other end to reconfigure. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message