How to filter ip adresses accesing our resolver.

[Kevin Darcy]

James Raftery wrote:

> On Mon, Mar 26, 2001 at 02:35:29PM +0200, antonio.castan at bt.es wrote:
> > We would like to resolve  the domains that are defined on our DNS
> > Services to anyone in the Internet and  filter  the ip address that can
> > use our servers as recursive resolvers (for the domains that are not
> > defined on them).
>
> RTFM: use the allow-recursion statement.
> See http://www.isc.org/products/BIND/docs/config/options.html

But be aware that that is only a *partial* solution. Even if recursion is
disabled, the nameserver will still answer with whatever happens to be in
its cache, and if it's being used as a recursive server by internal clients,
you'll often have useful answers in your cache. So, while limiting recursion
may help repel stub resolvers, it often does little to discourage other
nameservers from pointing to you in "forward first" (opportunistic
forwarding) mode.

If you really want to lock things down, use allow-query globally to forbid
all external queries, and then open up selectively only for the zones that
you serve to the public. But even that is not perfect, since a misconfigured
stub resolver or forwarding nameserver which is already pointing at your
server may just start failing over to some other nameserver so quickly that
the user/administrator might never notice enough of a delay to realize there
is a problem.

Ah, if only blackhole were a zone-level option or I had enough time to code
an "answer-bogusly-to" zone-level option...

For now, the best thing is to run your external zones on an entirely
separate nameserver instance and deny recursion completely (or, more
maliciously, configure a root-zone wildcard). Then you have essentially
nothing in cache and nobody will benefit from explicitly including your
nameserver's address into their configuration (unless of course you've
foobar'ed your delegation records, in which case maybe that's the only way
they can resolve names in your domain :-).


- Kevin