jim at rfc1035.com
Wed Mar 30 17:40:39 UTC 2005
>>>>> "Rafa" == Rafa <rafaor at gmail.com> writes:
Mariano> Should I disable recursive queries for users outside my
>> YES! Nobody should be offering recursive DNS service to IP
>> addresses outside their network. Open DNS service like that is
>> almost as bad as an open mail relay. Of course authoritative
>> name servers have to accept (non-recursive) queries from
>> everywhere. These servers however should not be offering
>> recursive service.
Rafa> It might be a problem if you have "roaming" customers. In
Rafa> some OS (the older Windows versions at least), a manually
Rafa> configured DNS would override any DNS configured via DHCP.
So what? That's beside the point. Broken client software is not an
excuse for leeaving recursive name servers wide open. Suppose I'm one
of these roaming users. How are your name servers supposed to know
that I'm entitled to use them when I'm on some other network? How are
they supposed to tell the difference between the genuine roaming user
and the next bozo who happens to get that IP address? What if the
roaming user can't reach their "home" name servers because of the
security policy on the guest network?
Rafa> I wouldn't go as far as saying that they are as bad as an
Rafa> open mail relay, but open dns servers do tend to have a
Rafa> higher load (obviously).
Open recursive name servers can be abused for all sorts of evil
things. That's why I said what I did.
More information about the bind-users