weird perfmonce BIND version 9.6

Shawn Bakhtiar shashaness at hotmail.com
Thu Sep 26 16:33:00 UTC 2013 

Never the less, it seems dangerous to have allow-recusion {any; }; Why not at least have a proper ACL that is limited to the internal IP segments? Surly you know the internal IP ranges used? No?

But more to the original post. If your using a windows machine have you made sure to clear your cache, after any reconfiguration you may have done?

ipconfig /flushdns

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true

For Linux(unix) if you are running the cache daemon it is 
sudo /etc/init.d/nscd restart



> Date: Wed, 25 Sep 2013 16:32:50 -0400
> From: brian at wadsworth.org
> To: alan at clegg.com
> Subject: Re: weird perfmonce  BIND version 9.6
> CC: bind-users at lists.isc.org
> 
> 
> Alan,
> 
> Apreciate the warning, these options are restricted in our
> public/internet facing servers.
> 
> The server that had given us grief is in fact internal and only
> serves our internal addresses, and belive it or not the issue
> revolved around forwarder zones from peer networks that are private
> from the internet. Our desktops/linux workstations where not getting
> those peer-private dns requests even though the server had them.
> 
> Our peer did something ultra special, a new private, unsanctioned
> TLD, just for use on the peer networks... its now impossible for us
> to function without forwarder records or explicitely allowing
> recursive queries on our internal and private network.
> 
> 
> 
> On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
> > 
> > On Sep 25, 2013, at 3:23 PM, Brian Cuttler <brian at wadsworth.org> wrote:
> > 
> > > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> > > necessary statements.
> > > 
> > > recursion yes;
> > > allow-recursion { any; };
> > > allow-query     { any; };
> > > allow-query-cache { any; };
> > > 
> > > I realize your problem may be entirely different.
> > 
> > And by doing this, you made yourself (again) an open recursive resolver capable of being used as a DoS amplifier.
> > 
> > Please don't use "any" in these ACLs.  Set ACLs that include only the address ranges that you control.
> > 
> > This public service announcement brought to you by those that care about the Internet.
> > 
> > (but thanks from upgrading to a relatively new version of BIND)
> > 
> > AlanC
> > -- 
> > Alan Clegg | +1-919-355-8851 | alan at clegg.com
> > 
> 
> 
> ---
>    Brian R Cuttler                 brian.cuttler at wadsworth.org
>    Computer Systems Support        (v) 518 486-1697
>    Wadsworth Center                (f) 518 473-6384
>    NYS Department of Health        Help Desk 518 473-0773
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130926/9a4ac024/attachment-0001.html>

More information about the bind-users mailing list