preventing external use of nameserver for non-authoritative zones
Cricket Liu
cricket at VeriSign.com
Thu Feb 1 18:04:12 UTC 2001
> I'm attempting to lock down our nameservers to prevent arbitrary hosts
from
> getting responses to arbitrary queries, as recommended by the CIAC
bulletin
> http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
>
> Mostly, there's no problem: I can lock things down such that internal
users
> can use our servers for all requests, but external users may only use them
> for the zones for which we are authoritative.
>
> However, this presents a problem. Under ox.ac.uk, a handful of zones are
> delegated to other nameservers within the University network, and the
> number of such delegations will increase as Active Directory becomes more
> popular. When requesting from these delegated zones at our main
> nameservers, I find that the BIND will respond the first time it receives
a
> particular request, even to an external host, but will not respond to an
> external host if the response has been cached, instead returning
"REFUSED".
>
> Is there a solution to this problem?
Instead of using a query access control list, you could use the
allow-recursion substatement introduced in BIND 8.2.1 to
restrict recursive queries to clients on your network.
cricket
More information about the bind-users
mailing list