Can I simply set some options to block that kind of notify information

Danny Mayer mayer at gis.net
Sun May 26 19:14:01 UTC 2002


At 08:47 AM 5/26/02, David Xiao wrote:

>By the random used by some users(they use one of my DNS Servers
>registered as their slave),the cpu usage of that DNS Server is very
>high.
>Because of some historical reason,there is a large amount of such kind
>of users.
>It is nearly impossible for me to ask them to revise their dns
>registeration one by one.

If you are saying that you are a slave to a large number of zones, then
the zones must appear in your named.conf. That means that someone
at your site added them.  If you have agreements with the people who
have registered their domain and listed your site in their registration you
better leave them there.  If they have no agreement, you need to find out
who at your site authorized them to be served by your server. Zones can
be removed by simply removing them from named.conf and reloading.

If you mean that people are using your site for recursive queries you can
reduce traffic by using the allow-recursion clause to limit the IP addresses
for recursive queries to just those addresses that you want to serve.

>One the other hand in order to keep my server's security, I don't want
>to accept the zone file they transfer to me.
>They often send some notify information which I found in the log file
>on that server everyday.

Security is not compromised by zone transfers if you limit zone transfers
to only those masters that you include in your zone statement since those
masters are assumed to be authorized to do so. Only those listed in the
masters statement can transfer zones. Notifies are sent to tell the slave
that something changed in the master and to update the zone information.


>Can I simply set some options to block that kind of notify information
>to reduce the CPU Load or should I setup a firewall to filter that
>kind of info.

No.  In any case notifies do not put a load on the system. Queries do.

>BTW Will that kind of filter reduce the CPU load?

No.



More information about the bind-users mailing list