Advisory Notice for Bind Default Configuration and Reflector Attacks

Jun-ichiro itojun Hagino itojun at itojun.org
Thu Mar 23 18:56:09 UTC 2006


	ok, let us talk about it on bind-workers not bind9, as "bind" is
	bind9 now.  i really hope to see when we say "ip" it means "ipv6" :-)

> # even though i restrict recursion, my server returned list of TLD servers (13
> # .com servers, packet size is almost 512 bytes).  so even though there is not
> # traffic increse, i see 1 return packet against 1 attack packet.  is it
> # intentional, or am i using too old code?
> 
> allow-recursion was a bad idea and i apologize for its existence.  it should
> be deprecated in my opinion.  what you need is allow-query, which means either

	allow-recursion behavior is something not normal.
	the default behavior is allow-recursion {all}, and when we say
	"allow-recursion {foo}", what it actually does is
	"deny-recursion {not foo}".  i was really wondering what is going to
	happen to "not foo" when i aded allow-recursion last night.

itojun


More information about the bind-workers mailing list