From owner-freebsd-security Sat Jan 29 9:45:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from floozy.zytek.com (floozy.zytek.com [63.198.33.206]) by hub.freebsd.org (Postfix) with ESMTP id 47B3C15813 for ; Sat, 29 Jan 2000 09:45:26 -0800 (PST) (envelope-from mccord@floozy.zytek.com) Received: (from mccord@localhost) by floozy.zytek.com (8.9.3/8.9.3) id JAA36290; Sat, 29 Jan 2000 09:44:53 -0800 (PST) (envelope-from mccord) Date: Sat, 29 Jan 2000 09:44:53 -0800 (PST) From: Samara McCord Message-Id: <200001291744.JAA36290@floozy.zytek.com> To: phk@critter.freebsd.dk, sthaug@nethelp.no Subject: Re: Continual DNS requests from mysterious IP Cc: fbsd-security@ursine.com, freebsd-security@FreeBSD.ORG In-Reply-To: <99753.949164993@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Tell named to only recurse for your own IP range (takes code hacking). > >Not really. "allow-recursion" is your friend. > >options { > allow-recursion { > localnets; > x.y.z/24; // Other addresses allowed > }; >}; > >Requires BIND 8.2.1 or newer. > Thanks, this was helpful. Also, I've found that you can emulate this behavior on BIND 8.2 (which doesn't have allow-recursion) by the following: options { allow-query { localnets; } } zone "xxx.com" { type master; ... allow-query { any; } ... } This says that for queries within the authoritative zone, allow anything, but for all other queries, only allow specific IPs. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message