Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
It's not too difficultIt's not too difficultPosted Feb 12, 2008 15:27 UTC (Tue) by mgb (subscriber, #3226)In reply to: Interesting, not unexpected. by job Parent article: DNS Inventor Warns of Next Big Threat (Dark Reading)
Using something like this you can use a single primary DNS server which is authoritative for
your own zones while limiting recursion to clients on your IP addresses.
acl my-recursers {
localhost;
localnets;
... my CIDR blocks ...
};
options {
allow-recursion {
my-recursers;
};
};
(Log in to post comments)
It is non-obvious for authoritative BIND views Posted Feb 12, 2008 16:03 UTC (Tue) by hmh (subscriber, #3838) [Link]
Your example is not enough to properly configure an authoritative server (although it is good
enough for a recursion-only cache server, I think).
The proper configuration for an authoritative BIND server ends up requiring the use of views
if you also need it to be a recursive server for some clients, I think.
For the authoritative view, you need:
additional-from-auth no;
additional-from-cache no;
as well as the more obvious:
recursion no;
Otherwise, you are still a problem for others (DoS amplifier at the very least).
|
|||||||||||