From owner-freebsd-security Sat Jan 29 12:10:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 8BD2B15E24 for ; Sat, 29 Jan 2000 12:10:29 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id OAA22881; Sat, 29 Jan 2000 14:09:46 -0600 (CST) From: Igor Roshchin Message-Id: <200001292009.OAA22881@alecto.physics.uiuc.edu> Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: <200001291744.JAA36290@floozy.zytek.com> from "Samara McCord" at "Jan 29, 2000 9:44:53 am" To: mccord@zytek.com (Samara McCord) Date: Sat, 29 Jan 2000 14:09:45 -0600 (CST) Cc: phk@critter.freebsd.dk, sthaug@nethelp.no, fbsd-security@ursine.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> Tell named to only recurse for your own IP range (takes code hacking). > > > >Not really. "allow-recursion" is your friend. > > > >options { > > allow-recursion { > > localnets; > > x.y.z/24; // Other addresses allowed > > }; > >}; > > > >Requires BIND 8.2.1 or newer. > > > > Thanks, this was helpful. Also, I've found that you can emulate this > behavior on BIND 8.2 (which doesn't have allow-recursion) by the following: > > options { > allow-query { localnets; } > } > zone "xxx.com" { > type master; > ... > allow-query { any; } > ... > } > > This says that for queries within the authoritative zone, allow > anything, but for all other queries, only allow specific IPs. > > Sam > First of all, thanks to everybody. There were several helpful hints. Second, let me point out the difference between the two methods suggested above. The second one is more difficult to implement if you have many domains under your DNS control (you need to do that for every domain). However, the second method seems to provide more desired (?) result: If you try to send an nslookup request about an outside domain to the server from an outside host, it will respond as "query refused". In the first case (using "allow-recursion"), the server will not refuse the query, but rather will respond with the root-servers information. I am not sure how all client-side software would react on such response, but this type of response might not turn their resolvers away immediately. Igor PS. As a side note: does anybody know any type of a program/script analogous to "adduser" for adding domain records to the DNS database ? This is not related to this list, so, please respond directly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message