"Recursive no;" implications?

LuKreme kremels at kreme.com
Wed Jan 22 05:29:24 UTC 2014


On 21 Jan 2014, at 02:12 , Mark Andrews <marka at isc.org> wrote:

>> If you have master/slave servers you should specify allow-recursion for your 
>> subnet instead, right? I'd you do this, you don't need to set forwarders, yes?
> 
> Allow-recursion has no impact on master / slave zones.

OK, so in order to lock down your server agains DDOS DNS attacks you need to restrict the access to the recursive lookup, yes? But if you set 'recursion no;' then your own servers will not lookup IP addresses for, for example, you mail server to check reject_unknown_reverse_client_hostname or related.

<http://www.zytrax.com/books/dns/ch9/close.html>

Looking at that, if I am reading it correctly, I should have

allow-recursion { "localnets"; }

in the options on the master and slave DNS servers (along with any other specific IPs that I want to/need to allow). Given the risks in allowing recursion for the wilds of the Internet, how are companies like Google able to allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS attacks?

>> And finally, can you specify a slave DNS against a CNAME or must it have a rD
>> NS and an A record?
> 
> No.  NS records need to refer to nodes with A and/or AAAA records.  Reverse
> DNS is irrelevent to the delegation.

Thanks, I thought that was the case.

-- 
"A thousand years ago we thought the world was a bowl. Five hundred
years ago we knew it was a globe. Today we know it is flat and round
carried through space on the back of a turtle. Don't you wonder what
shape it will turn out to be tomorrow?" [Lord Vetinari]



More information about the bind-users mailing list