stomping forwarders
Lars-Johan Liman
liman at sunet.se
Thu Dec 16 15:20:26 UTC 1999
randy at psg.com:
> some inconsiderate folk point their resolvers at servers which it is not
> possible to hide (i'm not going to house an extra hidden machine just to
> be an in-house server). in one case, over 10% of the *total* inbound
> packets to a lan were from one dns abuser.
> i can filter them at the border router. this is hokey, and if they are
> not watching their systems and have a second server configured, they may
> never notice. the >10% resolver mentioned above is still hammering away
> despite being blocked for a week.
> i would love to give bind a list of IPs for which recursive requests
> will not be honored, but rather have nxdomain returned. or the inverse,
> a set of ip ranges for which recursion will be honored and the rest are
> given the nasties.
> clues?
1) Make your current server "non recursive". Add "listen-on" for the
current IP address.
2) Open up a second interface on the machine, with a new IP
address. Start a second "named" with "listen-on" on the new
address. Add "allow-query(-ies?)" to preferred addresses.
It's a second server, but not a second machine. Sufficient?
Cheers,
/Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, Systems Specialist ! E-mail: liman at sunet.se
# KTH Network Operations Centre ! HTTP : //www.sunet.se/~liman
# Royal Institute of Technology, Sweden ! Voice : Int +46 8 - 790 65 60
#----------------------------------------------------------------------
More information about the bind-users
mailing list