Advisory Notice for Bind Default Configuration and Reflector Attacks
Gregory Neil Shapiro
gshapiro at gshapiro.net
Sat Mar 25 03:18:55 UTC 2006
> All I see is a lot of recursive queries (+) to a authoritative
> server which is not offering recursion.
>
> Interative resolver ask non recursive queries. If you are
> using a forward zone they you are not acting as a interative
> resolver for the namespace covered. Nameservers listed
> in forwarders clauses need to be configured to accept recursive
> queries.
Mark is correct, my test was flawed. Thanks for the clue. Now I have
to decide whether or not I should globally "allow-query { any; };" with
recursion off (i.e., by friendly and at least return some NS records or
just return REFUSED). Any conventional wisdom?
More information about the bind-workers
mailing list