Bind 9 Security Issue

Barry Margolin barmar at genuity.net
Wed Mar 6 22:12:59 UTC 2002


In article <a65sbe$ead at pub3.rc.vix.com>,
Do, Ho cao (CIT) <doh at mail.nih.gov> wrote:
>Yes, I did intent to deny recursive queries outside my network.  That means
>if the outside my network asks for the hostname that my DNS server is not
>authorized, it will not look for non-authorative answer.  if the outside my
>network asks for the hostname that is in my DNS record, it will answer to
>them. 

Since we don't know what domains your server is authoritative for, it's
difficult for us to tell whether it's behaving as intended or not.

Here are two representative log messages:

>> denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov IN
>> denied recursion for query from [207.197.254.27].2544 for yahoo.com IN

I'm pretty sure you're not authoritative for yahoo.com, so the second log
message is probably what you expect.  I don't know about nrcs.usda.gov,
though; you're writing from nih.gov, so maybe the server you're talking
about is supposed to be authoritative for nrcs.usda.gov, in which case your
concern seems valid.

If you post the rest of your named.conf file, show all the master and slave
zones, we could do a better job of judging whether your problem is valid.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list