From owner-freebsd-security Sat Jan 29 21:34:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.79.126]) by hub.freebsd.org (Postfix) with ESMTP id BF03B151E9 for ; Sat, 29 Jan 2000 21:34:46 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.79.115]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA05464; Sat, 29 Jan 2000 22:34:22 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id WAA12435; Sat, 29 Jan 2000 22:34:21 -0700 (MST) (envelope-from nate) Date: Sat, 29 Jan 2000 22:34:21 -0700 (MST) Message-Id: <200001300534.WAA12435@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Poul-Henning Kamp Cc: "Michael Bryan" , freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: <13429.949164414@critter.freebsd.dk> References: <200001290842460680.22E3EFC9@quaggy.ursine.com> <13429.949164414@critter.freebsd.dk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >>But this also brings up my other > >>point. Correct me if I'm wrong, but my DNS servers shouldn't ever have > >>to deliver the MX records for aol.com (or any domain for which I don't > >>serve), except to my own internal machines and for my own customers, right? > > > >If somebody has manually setup their system to use you as a DNS resolver, > >then you will get packets for any and all DNS requests they make, no matter > >where they are on the Internet. Not a very smart way to do things, mind > >you, but I've seen it before, usually from customers of mine who moved a > >computer from work or another ISP and kept their old DNS settings. I don't > >think that's what's going on in your case, though... > > Tell named to only recurse for your own IP range (takes code hacking). Actually, it doesn't. Newer versions of named have this as a feature... options { // Only allow 'generic' queries from machines in this // network. This requires that we allow queries for // the information we are authoritative for 'any' in // each zone declaration. allow-query { 127.0.0.1; 206.127.79.112/29; 206.127.79.120/29; }; zone "yogotech.com" { type master; file "master/yogotech.com"; allow-transfer { yogoNS; }; allow-query { any; }; }; The only requirement is that you add 'allow-querty { any; };' for any zone you are authoratative for, but this is minor. Doing this stopped a number of people who were 'abusing' my DNS servers... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message