Use allow-query on primary servers?
Jim Reid
jim at rfc1035.com
Wed Dec 22 00:21:03 UTC 1999
>>>>> "Cricket" == Cricket Liu <cricket at acmebw.com> writes:
>> Not really, though explicitly blocking systems that are being
>> nasty would be reasonable. If you try to define a set of
>> trusted hosts that are allowed to query your name servers, you
>> probably lose. How are you going to predict which hosts and
>> users on the internet will lookup your domain(s) and the IP
>> addresses of the name servers or resolvers they will use? This
>> is only do-able when the name servers live behind a firewall
>> and there's tight control over the nets that get routed over
>> the internal network.
Cricket> The technique Martin described *is* a good idea: Limiting
Cricket> queries for domain names not in your authoritative zones.
Cricket> Turning recursion off is somewhat more effective, if you
Cricket> can do it, but his isn't a bad solution.
Yeah, you're right. I misread the original question as "how do I stop
unwanted clients from getting answers for my zone?" rather than "how
do I stop my name server from giving answers to unwanted clients for
zones other than my own?" And as you say, switching off recursion is a
better way to achieve that if it is a viable option.
More information about the bind-users
mailing list