Dropping external recursive requests

john at feith.com john at feith.com
Wed Dec 3 01:10:18 UTC 2008

Our DNS server occasionally get requests for recursion with forged src
Currently our server returns "Standard query response, Refused" since
our named.conf
only allows recursion for our internal machines.  This, of course,
results in the poor
machine whose address was forged receiving spurious traffic.

Some of the Cisco firewalls support DNS inspection and can be
configured to drop
requests which want recursion.  What are the ramifications of enabling

Can bind be configured to do this?  I was thinking about something

view "internal" {
  match-clients { localhost; localnets; };

view "external-recursive" {
  match-clients { any; };
  match-recursive-only yes;
  blackhole { any};

view "external" {

-- John
john at feith.com

More information about the bind-users mailing list