Advisory Notice for Bind Default Configuration and Reflector Attacks
Jun-ichiro itojun Hagino
itojun at itojun.org
Thu Mar 23 18:56:09 UTC 2006
ok, let us talk about it on bind-workers not bind9, as "bind" is
bind9 now. i really hope to see when we say "ip" it means "ipv6" :-)
> # even though i restrict recursion, my server returned list of TLD servers (13
> # .com servers, packet size is almost 512 bytes). so even though there is not
> # traffic increse, i see 1 return packet against 1 attack packet. is it
> # intentional, or am i using too old code?
>
> allow-recursion was a bad idea and i apologize for its existence. it should
> be deprecated in my opinion. what you need is allow-query, which means either
allow-recursion behavior is something not normal.
the default behavior is allow-recursion {all}, and when we say
"allow-recursion {foo}", what it actually does is
"deny-recursion {not foo}". i was really wondering what is going to
happen to "not foo" when i aded allow-recursion last night.
itojun
More information about the bind-workers
mailing list