ip forwarding DNS 9.6.0

Mark Andrews Mark_Andrews at isc.org
Thu Apr 9 22:51:40 UTC 2009 

In message <83F1E37B-72BD-4454-8C2D-4FA91D5FC4DA at cs.moravian.edu>, myron writes
:
> On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
> 
> >
> > In message <D7656C59-094F-4B37-B3CC-4496DB3AFB38 at cs.moravian.edu>,  
> > myron writes:
> >> I started reading up on Kirk's suggestions of the allow-*** settings.
> >> In the global options level
> >> I put
> >> options {
> >>         directory       "/etc/dns";
> >>         allow-query-cache { any; };
> >>         allow-query { any; };
> >>         auth-nxdomain   yes;
> >> };
> >>
> >> and that definitely worked. By no means do I understand the paragraph
> >> below from the README.
> >> I need to mull over it for a while and determine where the options
> >> should go, whether globally or in a view
> >> and whether "any" is the right setting.
> >
> > 	Basically there are people using recursive DNS servers as
> > 	amplifiers in DoS attacks by sending forged UDP queries.
> > 	By restricting who can get access to the cache you reduce
> > 	the effect of such queries to just anonymising the original
> > 	query source.
> >
> > 	The defaults were changed so that only locally connected
> > 	nets get recursive service and access to the cache.  This
> > 	default is right for a large majority of the users of named.
> > 	You should expand allow-query-cache to include all the
> > 	networks you want to offer recursive service to.
> >
> > 	Mark
> 
> I think I got it right. I just changed "any" to my network. It works.
> 
> options {
>          directory       "/etc/dns";
>          allow-query-cache { int-net; };
>          allow-query { int-net; };

	allow-query would normally be "any;" as you are normally
	publishing zones to the world.

>          auth-nxdomain   yes;
> };
> 
> >
> >
> >> Thanks for all the help.
> >>
> >> --myron
> >> =================================
> >> Myron Kowalski
> >> MoCoSIN Network/Systems Administrator
> >> Moravian College
> >> myron at cs.moravian.edu
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list