logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>
-->

allow-recursion ??: msg#00412

Subject: allow-recursion ?? 
hi,

in an attempt to make my name server more secure I have decided to stop
external clients from makeing recursive querys.


I have added the line 

allow-recursion { 10.0.0.1; 10.0.0.2; 10.0.0.3; 10.0.0.4; 212.113.200.69;
212.113.200.71; 212.113.200.73; }; to my named.conf.

My "options" section now looks thus.

options {
        directory "/var/named";
        // Put the Zone Files in Here

        //check-names master warn;
        statistics-file "/var/log/named_stats.log";

        // Allows lookups only to specified addresses
        allow-recursion { 10.0.0.1; 10.0.0.2; 10.0.0.3; 10.0.0.4;
212.113.200.69; 212.113.200.71; 212.113.200.73; };


};

Now as I understand it if a client that is NOT in the allow-recursion lists
makes a request for info on a domain that I do not host it should not
resolve / accept the query.

ie 

dig www.sun.com


To test this I did a look up from my workstation 217.34.194.218 I did an 

nslookup
server 212.113.200.71 (which is my name server)

then did 

www.sun.com 

I get back 

> www.sun.com
Server:         212.113.200.71
Address:        212.113.200.71#53

Non-authoritative answer:
*** Can't find www.sun.com: No answer

which is what I expect. 
However I see 
client 217.34.194.218#32808: query: www.sun.com IN A
appear in the named.log file ?? so my machine accecpts the query but refuses
to look it up, is this right ?


I decided to test a few more options.

I do 

www.microsoft.com 

> www.microsoft.com 
Server:         212.113.200.71
Address:        212.113.200.71#53

Non-authoritative answer:
*** Can't find www.microsoft.com: No answer
> 

which is looking good.

However

> www.demon.net
Server:         212.113.200.71
Address:        212.113.200.71#53

Non-authoritative answer:
Name:   www.demon.net
Address: 194.159.254.213 

this works yet it is not hosted on my server ???? why does this domain work
??



I am also seeing lots of things like.
client 10.0.0.2#32806: query: 192.111.241.129.in-addr.arpa IN PTR
client 10.0.0.2#32807: query: sprint.idi.ntnu.no IN A 

in the named.log

10.0.0.2 is my INTERNAL ip address for my name servers, how is someone else
using this ???
How can I stop this ??


sorry for the long questions, I hope you have enough details.

thanks, 

Matt.
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  External Cnames, DARCY,MATTHEW (Non-HP-UnitedKingdom,ex2)
Next by Date:  lame server resolving..., Nikodim Nikodimov
Previous by Thread:  External Cnames, DARCY,MATTHEW (Non-HP-UnitedKingdom,ex2)
Next by Thread:  RE: allow-recursion ??, David Botham
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
mail.spam.rbl.s...    php.seagull.gen...    culture.religio...    qnx.openqnx.dev...    gnome.love/2006...    bug-tracking.re...    user-groups.lin...    yellowdog.gener...    handhelds.ipaq....    kde.announce/20...    java.mx4j.devel...    xfree86.expert/...    recreation.cars...    text.xml.expat....    web.zope.zope3/...    version-control...    db.carob.cvs/20...    freebsd.perform...    ecos.cvs/2003-0...    linux.hotplug.d...    systemtap/2006-...    os.freebsd.secu...   
Home | blog view | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo