Dropping external recursive requests
john at feith.com
john at feith.com
Wed Dec 3 01:10:18 UTC 2008
Our DNS server occasionally get requests for recursion with forged src
addresses.
Currently our server returns "Standard query response, Refused" since
our named.conf
only allows recursion for our internal machines. This, of course,
results in the poor
machine whose address was forged receiving spurious traffic.
Some of the Cisco firewalls support DNS inspection and can be
configured to drop
requests which want recursion. What are the ramifications of enabling
this?
Can bind be configured to do this? I was thinking about something
like:
view "internal" {
match-clients { localhost; localnets; };
...
}
view "external-recursive" {
match-clients { any; };
match-recursive-only yes;
blackhole { any};
}
view "external" {
...
}
-- John
john at feith.com
More information about the bind-users
mailing list