Mark_Andrews at isc.org
Thu Nov 16 22:01:29 UTC 2006
> Do you know how you would go about locking down your advertisitng DNS
> Servers by turning recursion off but still allowing some CNAME's to
> resolve to other external non authorative.
You just turn recursion off. Iterative resolvers know how
to handle the answers and follow the CNAMEs themselves.
> For example you are advertising the domain
> In the zone file it contains
> Test IN A 184.108.40.206
> More IN A 220.127.116.11
> Again IN A 18.104.22.168
> Out IN CNAME somexternal.domain.com.
> Nice IN A 22.214.171.124
> Outside IN CNAME yahooos.yahoo.com.
> The hostname outside.hello.com. Will not resolve as my servers is non
> recursive, also out.hello.com. Will also not resolve. How would I be
> able to work around this situation in order to protect my dns server
> from performing recursive lookups to the rest of the world.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users