From owner-freebsd-hackers@FreeBSD.ORG Tue Jan 17 13:14:04 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D019E16A469 for ; Tue, 17 Jan 2006 13:14:04 +0000 (GMT) (envelope-from corecode@fs.ei.tum.de) Received: from stella.fs.ei.tum.de (stella.fs.ei.tum.de [129.187.54.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CE3E43D45 for ; Tue, 17 Jan 2006 13:14:01 +0000 (GMT) (envelope-from corecode@fs.ei.tum.de) Received: from localhost (localhost [127.0.0.1]) by localhost.fs.ei.tum.de (Postfix) with ESMTP id 2B99F8DCE3; Tue, 17 Jan 2006 14:14:00 +0100 (CET) Received: from stella.fs.ei.tum.de ([127.0.0.1]) by localhost (stella [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 32341-04; Tue, 17 Jan 2006 14:13:57 +0100 (CET) Received: from [IPv6:2001:4ca0:0:fe00:0:5efe:a96:b4b4] (unknown [IPv6:2001:4ca0:0:fe00:0:5efe:a96:b4b4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by stella.fs.ei.tum.de (Postfix) with ESMTP id 8D28A8CAB0; Tue, 17 Jan 2006 14:13:57 +0100 (CET) Message-ID: <43CCED94.3020802@fs.ei.tum.de> Date: Tue, 17 Jan 2006 14:13:56 +0100 From: Simon 'corecode' Schubert User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050912) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Steve Suhre References: <43CC59E7.6080505@nano.net> <015901c61b15$898648a0$1200a8c0@gsicomp.on.ca> <43CC65BC.9040005@nano.net> <44314.63.147.253.154.1137474098.squirrel@webmail7.pair.com> <43CCBAC5.4060809@nano.net> In-Reply-To: <43CCBAC5.4060809@nano.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new at fs.ei.tum.de Cc: freebsd-hackers@freebsd.org Subject: Re: Named requests filling up T1 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 13:14:04 -0000 Steve Suhre wrote: > Thanks, I think that's what I was looking for. I expect the "ISP" is in > another country somewhere and would be hard to reach, if they could be > reached at all. And it's probably a bad reference somewhere to the > server here, so shutting of recursive queries could help... If I shut > named off for an hour or two they go away, so I'm guessing the offending > server switches to the secondary and gets what it's looking for? In any case you should only allow recursive queries for your trusted clients and/or downstream nameservers which forward to you. Otherwise a) you produce outgoing traffic when some stranger wants to b) your dns cache can easily be poisoned because of a) cheers simon -- Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\ Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \