yeodavid at gmail.com
Wed Nov 24 20:38:12 UTC 2004
Currently our DNS allows recursive queries from all users. We would
like to tighten up our security and limit the public use of our DNS.
Our current DNS uses views to allow "internal" users access to our
machines and those on the Internet and to resolve "external" queries
from the public to our machines.
By turning off recursion in our "external" view, will this completely
restrict "external" users from abusing our DNS with queries that we
are not the authoritative source for? Does the cache need to be
cleared and disabled? What will our DNS response be when a recursive
query is made for which we are not the authoritative source?
Using nslookup, I tried using a Yahoo DNS server to look up abc.com
and got this:
*** Can't find abc.com: No answer
Authoritative answers can be found from:
. nameserver = K.ROOT-SERVERS.NET.
. nameserver = L.ROOT-SERVERS.NET.
. nameserver = M.ROOT-SERVERS.NET.
. nameserver = I.ROOT-SERVERS.NET.
. nameserver = E.ROOT-SERVERS.NET.
. nameserver = D.ROOT-SERVERS.NET.
. nameserver = A.ROOT-SERVERS.NET.
. nameserver = H.ROOT-SERVERS.NET.
. nameserver = C.ROOT-SERVERS.NET.
. nameserver = G.ROOT-SERVERS.NET.
. nameserver = F.ROOT-SERVERS.NET.
. nameserver = B.ROOT-SERVERS.NET.
. nameserver = J.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET internet address = 188.8.131.52
L.ROOT-SERVERS.NET internet address = 184.108.40.206
M.ROOT-SERVERS.NET internet address = 220.127.116.11
I.ROOT-SERVERS.NET internet address = 18.104.22.168
E.ROOT-SERVERS.NET internet address = 22.214.171.124
D.ROOT-SERVERS.NET internet address = 126.96.36.199
A.ROOT-SERVERS.NET internet address = 188.8.131.52
H.ROOT-SERVERS.NET internet address = 184.108.40.206
C.ROOT-SERVERS.NET internet address = 220.127.116.11
G.ROOT-SERVERS.NET internet address = 18.104.22.168
F.ROOT-SERVERS.NET internet address = 22.214.171.124
B.ROOT-SERVERS.NET internet address = 126.96.36.199
J.ROOT-SERVERS.NET internet address = 188.8.131.52
I'd like our server to spit out something like this when an
unauthorized user tries to use our DNS.
More information about the bind-users