allow-query for non authoritative zones
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 20 18:18:36 UTC 2003
"Seme, Markus" wrote:
> Hi,
> i want block queries from several, different Source-IP's (spoofed) to
> the same domain ( DOS ).
> The domain is not under my authorization - for example microsoft.com
> !?
>
> It's easy to konfigure BIND9 with acl and allow-query for local zones
> ( in my authorization ) - for example:
>
> zone "local.com" {
> type master;
> file "local.com.zone";
> allow-query { none; };
> };
>
> But i haven't any idea how i should configure it to block the queries
> for an domain who is not under my authorization !
>
> Or is there any other way to block such DOS ?
Generally speaking, this is better handled by restricting recursion.
Unless you already have the answer cached, the only way your nameserver
can get information about zones for which it is not authoritative, is by
recursing to get the answer. So, no recursion = no answer (more or
less). In order to lessen the chance of the answer being cached (and
therefore being returned even in the absence of recursion), it is
recommended to completely segregate your recursive and non-recursive
nameservice.
- Kevin
More information about the bind-users
mailing list