[ale] Fwd: Under Attack, my dns servers

Lightner, Jeff JLightner at dsservices.com
Mon Oct 6 15:32:49 EDT 2014


Turning off recursion in BIND isn’t really that difficult either.

In main options section of named.conf you set (among your other options):

allow-recursion { internaldns; };

You then create an ACL called internaldns.   That can have multiple IPs or ranges e.g.

acl "internaldns" {  192.168.1.9; 10.0.45/22; };

In our case we also have an acl for externaldns to allow certain of our internet facing devices to also come in but that isn’t required for many folks – if you need it you just add it to the allow-recursion statement as a second item and add the acl.

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of James Sumners
Sent: Monday, October 06, 2014 1:37 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Fwd: Under Attack, my dns servers


On Mon, Oct 6, 2014 at 1:14 PM, Lightner, Jeff <JLightner at dsservices.com<mailto:JLightner at dsservices.com>> wrote:
You can and SHOULD turn off recursion from external facing interface as anyone coming to you should only be resolving the domains for which you are authoritative.   You can leave recursion on for the internal facing network but should do that only if your internal folks use your DNS servers to resolve external domains (e.g. google.com<http://google.com>, yahoo.com<http://yahoo.com> etc…).

PowerDNS makes this _super_ easy -- https://www.powerdns.com


--
James Sumners
http://james.roomfullofmirrors.com/

"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted."

Missionaria Protectiva, Text QIV (decto)
CH:D 59



Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer

_________________________________________________________

CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/eb690f40/attachment.html>


More information about the Ale mailing list