From owner-freebsd-security Sat Jan 29 12:23:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id DB84A150F2 for ; Sat, 29 Jan 2000 12:23:28 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 2808 invoked by uid 1001); 29 Jan 2000 20:23:17 +0000 (GMT) To: igor@physics.uiuc.edu Cc: mccord@zytek.com, phk@critter.freebsd.dk, sthaug@nethelp.no, fbsd-security@ursine.com, freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 29 Jan 2000 14:09:45 -0600 (CST)" References: <200001292009.OAA22881@alecto.physics.uiuc.edu> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 29 Jan 2000 21:23:17 +0100 Message-ID: <2806.949177397@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > However, the second method seems to provide more desired (?) result: > If you try to send an nslookup request about an outside domain > to the server from an outside host, it will respond as "query refused". > In the first case (using "allow-recursion"), the server will not > refuse the query, but rather will respond with the root-servers information. This is on purpose. The idea of the "allow-recursion" option is to limit the amount of work that a disallowed client can ask from your server. This means that it will either return a referral, or an answer from its cache. But it will *not* perform any new queries on behalf of a disallowed client. The amount of work to return a "query refused" is about the same as that of returning a referral or an answer from the cache. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message