Dropping external recursive requests

Chris Buxton cbuxton at menandmice.com
Wed Dec 3 18:37:07 UTC 2008


That ought to work, and work well.

This will not impact outside name servers that query your name server,
because they send iterative queries. If they're sending recursive
queries, they're abusing your server. I can't see any problems with this
approach.

If you have authoritative data in the third view, make sure that when
the first view wants to look it up, its iterative query to the server
machine itself is routed through to the third view (rather than being
captured by the first view).

Chris Buxton
Men & Mice

On Tue, 2008-12-02 at 17:10 -0800, john at feith.com wrote:
> Our DNS server occasionally get requests for recursion with forged src
> addresses.
> Currently our server returns "Standard query response, Refused" since
> our named.conf
> only allows recursion for our internal machines.  This, of course,
> results in the poor
> machine whose address was forged receiving spurious traffic.
> 
> Some of the Cisco firewalls support DNS inspection and can be
> configured to drop
> requests which want recursion.  What are the ramifications of enabling
> this?
> 
> Can bind be configured to do this?  I was thinking about something
> like:
> 
> view "internal" {
>   match-clients { localhost; localnets; };
>   ...
> }
> 
> view "external-recursive" {
>   match-clients { any; };
>   match-recursive-only yes;
>   blackhole { any};
> }
> 
> view "external" {
>   ...
> }
> 
> -- John
> john at feith.com
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list