Jason L Tibbitts III <tibbs@xxxxxxxxxxx> wrote:
"AMK" == Ashley M Kirchner <ashley@xxxxxxxxxx> writes:
AMK> Yes, it's called Asia. Several dozen IPs were querying my DNS
AMK> non-stop.
You should not allow recursive queries from outside of your network.
I do this by having an internal view with a "match-clients" set to my
internal network, and then later a default view with
match-clients { any; };
recursion no;
although I suspect this is not the simplest way to accomplish this
because it necessitates duplicating all of the zone declarations that
are visible in both views.
- J<
I've been pretty happy with the following approach:
[root@fraud ~]# cat /etc/named.conf
acl "trusted" {
localhost;
192.168.0.0/16;
72.19.169.230;
};
...
zone "local.davenjudy.org" IN {
type master;
file "local.davenjudy.org";
allow-query {
trusted;
};
allow-update {
trusted;
};
};
...
The allow-query clause means that anyone outside of my network get a
query refused. The weird thing is that logwatch says I get a couple of
queries for internal boxes every day. If someone is persistent, they
get a firewall rule in their honor.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
