How to return REFUSED
Kevin Darcy
kevin.darcy at stellantis.com
Wed May 5 20:06:29 UTC 2021
[ Classification Level: GENERAL BUSINESS ]
I just checked the ARM, and it denotes that "match-recursive-only"
(boolean) still exists for views. So, you might be able to set up a special
view with that, as well as a negated match-clients, specifying allow-query
{ none; }. Put it as the first view, and both non-recursive queries, and
queries from your "recursive-users" ACL, will fall through to subsequent
views.
- Kevin
P.S. ISC's "understanding views" knowledgebase article doesn't mention
match-recursive-only, so there is a discrepancy there. Either the feature
has been removed, and the ARM documentation hasn't been updated to reflect
it, or the knowledgebase article only focuses on the most common
view-matching criteria, omitting match-recursive-only, since the use cases
for that are very rare.
On Wed, May 5, 2021 at 3:10 PM Axel Rau <Axel.Rau at chaos1.de> wrote:
> I have,
>
> allow-query { any; };
> allow-query-cache { recursive-users; };
> allow-recursion { recursive-users; };
>
> How can I make sure that none recursive-users get a REFUSED if query is
> recursive?
>
> Axel
>
> PS: I want to minimize the responses to this amplification attack:
> - - -
> 19:05:18.703238 185.230.55.130.30120 > 91.216.35.71.53: [no udp cksum] 1+
> RRSIG? pizzaseo.com.(30) (ttl 249, id 33043, len 58)
> 19:05:18.703568 91.216.35.71.53 > 185.230.55.130.30120: [udp sum ok] 1- q:
> RRSIG? pizzaseo.com. 0/13/14 ns: com. NS j.gtld-servers.net., com. NS
> m.gtld-servers.net., com. NS c.gtld-servers.net., com. NS
> b.gtld-servers.net., com. NS d.gtld-servers.net., com. NS
> e.gtld-servers.net., com. NS l.gtld-servers.net., com. NS
> f.gtld-servers.net., com. NS h.gtld-servers.net., com. NS
> i.gtld-servers.net., com. NS a.gtld-servers.net., com. NS
> k.gtld-servers.net., com. NS g.gtld-servers.net. ar: m.gtld-servers.net.
> A 192.55.83.30, l.gtld-servers.net. A 192.41.162.30, k.gtld-servers.net.
> A 192.52.178.30, j.gtld-servers.net. A 192.48.79.30, i.gtld-servers.net.
> A 192.43.172.30, h.gtld-servers.net. A 192.54.112.30, g.gtld-servers.net.
> A 192.42.93.30, f.gtld-servers.net. A 192.35.51.30, e.gtld-servers.net. A
> 192.12.94.30, d.gtld-servers.net. A 192.31.80.30, c.gtld-servers.net. A
> 192.26.92.30, b.gtld-servers.net. A 192.33.14.30, a.gtld-servers.net. A
> 192.5.6.30, m.gtld-servers.net. AAAA 2001:501:b1f9::30(490) (ttl 63, id
> 11754, len 518)
> - - -
> ---
> PGP-Key: CDE74120 ☀ computing @ chaos claudius
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210505/673f3a5c/attachment.htm>
More information about the bind-users
mailing list