Date: Mon, 22 Apr 2002 12:38:27 -0400 From: "Jim Flowers" <jflowers@ezo.net> To: Tim Wilde <twilde@dyndns.org> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: DNS Question Message-ID: <20020422123827.M47851@ezo.net> In-Reply-To: <Pine.GSO.4.44.0204221202580.25336-100000@quartz.bos.dyndns.org> References: <20020422114506.M42132@ezo.net> <Pine.GSO.4.44.0204221202580.25336-100000@quartz.bos.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
That is true, of course but you can't turn recursion off when you are using a
single server for both resolver service (for trusted hosts) and general
lookup service for the world-at-large for your authoritative zones.
The best setup uses two services, one with recursion that can be used by
trusted users and the other without that will allow queries to only the
authorized zones. I have not been able to get both servers to run on a
single host (with a single ip address) so the best I can do is the method
described.
It is interesting that for a small ISP we reject thousands of queries to our
dns servers that are not from our subscribers or for our authorized zone
records.
>
> The allow-recursion { }; statement within the options { };
> block is more correct to use to limit recursion, I'm pretty
> sure it's available in BIND 8, and it definitely is in BIND
> 9. DNS & BIND is a very good resource, as is the BIND ARM
> that ships in the doc/ dir of the BIND distribution.
>
> Tim Wilde
>
> --
> Tim Wilde
> twilde@dyndns.org
> Systems Administrator
> Dynamic DNS Network Services
> http://www.dyndns.org/
--
Jim Flowers<jflowers@ezo.net>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020422123827.M47851>