Use allow-query on primary servers?

Cricket Liu cricket at acmebw.com
Tue Dec 21 19:41:18 UTC 1999


> Not really, though explicitly blocking systems that are being nasty
> would be reasonable. If you try to define a set of trusted hosts that
> are allowed to query your name servers, you probably lose. How are you
> going to predict which hosts and users on the internet will lookup
> your domain(s) and the IP addresses of the name servers or resolvers
> they will use? This is only do-able when the name servers live behind
> a firewall and there's tight control over the nets that get routed
> over the internal network.

The technique Martin described *is* a good idea:  Limiting
queries for domain names not in your authoritative zones.
Turning recursion off is somewhat more effective, if you
can do it, but his isn't a bad solution.

Martin, what sorts of weird responses are you seeing?

cricket

Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.



More information about the bind-users mailing list