Advisory Notice for Bind Default Configuration and Reflector Attacks

Gregory Neil Shapiro gshapiro at gshapiro.net
Sat Mar 25 03:18:55 UTC 2006


> 	All I see is a lot of recursive queries (+) to a authoritative
> 	server which is not offering recursion.
> 
> 	Interative resolver ask non recursive queries. If you are
> 	using a forward zone they you are not acting as a interative
> 	resolver for the namespace covered.  Nameservers listed
> 	in forwarders clauses need to be configured to accept recursive
> 	queries.

Mark is correct, my test was flawed.  Thanks for the clue.  Now I have
to decide whether or not I should globally "allow-query { any; };" with
recursion off (i.e., by friendly and at least return some NS records or
just return REFUSED).  Any conventional wisdom?


More information about the bind-workers mailing list