<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Never the less, it seems dangerous to have allow-recusion {any; }; Why not at least have a proper ACL that is limited to the internal IP segments? Surly you know the internal IP ranges used? No?<br><br>But more to the original post. If your using a windows machine have you made sure to clear your cache, after any reconfiguration you may have done?<br><br>ipconfig /flushdns<br><br><a href="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true" target="_blank">http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true</a><br><br>For Linux(unix) if you are running the cache daemon it is <br><pre class="bbcode_code" style="height:36px;">sudo /etc/init.d/nscd restart</pre><br><br><br><br><div>> Date: Wed, 25 Sep 2013 16:32:50 -0400<br>> From: brian@wadsworth.org<br>> To: alan@clegg.com<br>> Subject: Re: weird perfmonce BIND version 9.6<br>> CC: bind-users@lists.isc.org<br>> <br>> <br>> Alan,<br>> <br>> Apreciate the warning, these options are restricted in our<br>> public/internet facing servers.<br>> <br>> The server that had given us grief is in fact internal and only<br>> serves our internal addresses, and belive it or not the issue<br>> revolved around forwarder zones from peer networks that are private<br>> from the internet. Our desktops/linux workstations where not getting<br>> those peer-private dns requests even though the server had them.<br>> <br>> Our peer did something ultra special, a new private, unsanctioned<br>> TLD, just for use on the peer networks... its now impossible for us<br>> to function without forwarder records or explicitely allowing<br>> recursive queries on our internal and private network.<br>> <br>> <br>> <br>> On Wed, Sep 25, 2013 at 04:23:57PM -0400, Alan Clegg wrote:<br>> > <br>> > On Sep 25, 2013, at 3:23 PM, Brian Cuttler <brian@wadsworth.org> wrote:<br>> > <br>> > > In our switch from BIND 8.3.3 to 9.8.2 we failed to add the now<br>> > > necessary statements.<br>> > > <br>> > > recursion yes;<br>> > > allow-recursion { any; };<br>> > > allow-query { any; };<br>> > > allow-query-cache { any; };<br>> > > <br>> > > I realize your problem may be entirely different.<br>> > <br>> > And by doing this, you made yourself (again) an open recursive resolver capable of being used as a DoS amplifier.<br>> > <br>> > Please don't use "any" in these ACLs. Set ACLs that include only the address ranges that you control.<br>> > <br>> > This public service announcement brought to you by those that care about the Internet.<br>> > <br>> > (but thanks from upgrading to a relatively new version of BIND)<br>> > <br>> > AlanC<br>> > -- <br>> > Alan Clegg | +1-919-355-8851 | alan@clegg.com<br>> > <br>> <br>> <br>> ---<br>> Brian R Cuttler brian.cuttler@wadsworth.org<br>> Computer Systems Support (v) 518 486-1697<br>> Wadsworth Center (f) 518 473-6384<br>> NYS Department of Health Help Desk 518 473-0773<br>> <br>> _______________________________________________<br>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br>> <br>> bind-users mailing list<br>> bind-users@lists.isc.org<br>> https://lists.isc.org/mailman/listinfo/bind-users<br></div> </div></body>
</html>