weird perfmonce BIND version 9.6
Shawn Bakhtiar
shashaness at hotmail.com
Thu Sep 26 16:33:00 UTC 2013
Never the less, it seems dangerous to have allow-recusion {any; }; Why not at least have a proper ACL that is limited to the internal IP segments? Surly you know the internal IP ranges used? No?
But more to the original post. If your using a windows machine have you made sure to clear your cache, after any reconfiguration you may have done?
ipconfig /flushdns
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true
For Linux(unix) if you are running the cache daemon it is
sudo /etc/init.d/nscd restart
> Date: Wed, 25 Sep 2013 16:32:50 -0400
> From: brian at wadsworth.org
> To: alan at clegg.com
> Subject: Re: weird perfmonce BIND version 9.6
> CC: bind-users at lists.isc.org
>
>
> Alan,
>
> Apreciate the warning, these options are restricted in our
> public/internet facing servers.
>
> The server that had given us grief is in fact internal and only
> serves our internal addresses, and belive it or not the issue
> revolved around forwarder zones from peer networks that are private
> from the internet. Our desktops/linux workstations where not getting
> those peer-private dns requests even though the server had them.
>
> Our peer did something ultra special, a new private, unsanctioned
> TLD, just for use on the peer networks... its now impossible for us
> to function without forwarder records or explicitely allowing
> recursive queries on our internal and private network.
>
>
>
> On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:
> >
> > On Sep 25, 2013, at 3:23 PM, Brian Cuttler <brian at wadsworth.org> wrote:
> >
> > > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now
> > > necessary statements.
> > >
> > > recursion yes;
> > > allow-recursion { any; };
> > > allow-query { any; };
> > > allow-query-cache { any; };
> > >
> > > I realize your problem may be entirely different.
> >
> > And by doing this, you made yourself (again) an open recursive resolver capable of being used as a DoS amplifier.
> >
> > Please don't use "any" in these ACLs. Set ACLs that include only the address ranges that you control.
> >
> > This public service announcement brought to you by those that care about the Internet.
> >
> > (but thanks from upgrading to a relatively new version of BIND)
> >
> > AlanC
> > --
> > Alan Clegg | +1-919-355-8851 | alan at clegg.com
> >
>
>
> ---
> Brian R Cuttler brian.cuttler at wadsworth.org
> Computer Systems Support (v) 518 486-1697
> Wadsworth Center (f) 518 473-6384
> NYS Department of Health Help Desk 518 473-0773
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130926/9a4ac024/attachment-0001.html>
More information about the bind-users
mailing list