cache server allow-recursion no problem?
Nate Campi
nate at campin.net
Wed Mar 13 17:05:16 UTC 2002
On Wed, Mar 13, 2002 at 04:50:43AM -0800, David Xiao wrote:
>
> Nate Campi <nate at campin.net> wrote in message news:<a6ls43$3oa at pub3.rc.vix.com>...
> >
> > In your server's options statement put:
> >
> > use-id-pool yes;
> >
> > To enable random message IDs in queries, introduced in BIND 8.2. This
> > will help protect your servers that need recursion from spoofing
> > attacks. This is a standard part of BIND 9, so no worries if you run
> > that.
> You means that if I set use-id-pool options to enable random id can
> avoid such attack?
You can make it quite a bit harder to spoof responses to your servers,
but I'll never say that you can avoid them completely. That's quite a
guarantee.
> BTW how can I reduce the CPU usage of my nameserver.
> Now I use blockhole to block some ip's heavy queries.
First you need to see where the queries are coming from. Use
allow-recursion to make sure no outside parties are using your server,
and if the usage is still high use query-logging (disk intensive) or
host-statistics (memory intensive) to see where the queries are coming
from.
There is always the chance that this is legitimate DNS traffic. If that
*is* the case, you may need more DNS servers or better hardware (or
both).
--
Nate
"If you put a billion monkeys in front of a billion typewriters typing
at random, they would reproduce the entire collected works of Usenet in
about ... five minutes." -Anon.
"Come to think of it, there are already a million monkeys on a million
typewriters, and the Usenet is NOTHING like Shakespeare!" -Blair Houghton
More information about the bind-users
mailing list