Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Jan 2000 22:34:21 -0700 (MST)
From:      Nate Williams <nate@yogotech.com>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        "Michael Bryan" <fbsd-security@ursine.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Continual DNS requests from mysterious IP 
Message-ID:  <200001300534.WAA12435@nomad.yogotech.com>
In-Reply-To: <13429.949164414@critter.freebsd.dk>
References:  <200001290842460680.22E3EFC9@quaggy.ursine.com> <13429.949164414@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
> >>But this also brings up my other
> >>point.  Correct me if I'm wrong, but my DNS servers shouldn't ever have
> >>to deliver the MX records for aol.com (or any domain for which I don't
> >>serve), except to my own internal machines and for my own customers, right?
> >
> >If somebody has manually setup their system to use you as a DNS resolver,
> >then you will get packets for any and all DNS requests they make, no matter
> >where they are on the Internet.  Not a very smart way to do things, mind
> >you, but I've seen it before, usually from customers of mine who moved a
> >computer from work or another ISP and kept their old DNS settings.  I don't
> >think that's what's going on in your case, though...
> 
> Tell named to only recurse for your own IP range (takes code hacking).

Actually, it doesn't.  Newer versions of named have this as a feature...

options {
        // Only allow 'generic' queries from machines in this
        // network.  This requires that we allow queries for
        // the information we are authoritative for 'any' in
        // each zone declaration.
        allow-query { 127.0.0.1; 206.127.79.112/29; 206.127.79.120/29;
};

zone "yogotech.com" {
        type master;
        file "master/yogotech.com";
        allow-transfer { yogoNS; };
        allow-query { any; };
};

The only requirement is that you add 'allow-querty { any; };' for any
zone you are authoratative for, but this is minor.

Doing this stopped a number of people who were 'abusing' my DNS
servers...


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001300534.WAA12435>