[Pdns-users] to recurse or not to recurse ...
Tony Adams
aadams at esnet.com
Fri Dec 15 15:01:07 UTC 2006
Use the following directive in the pdns.conf file to limit recursion to
specific networks.
#################################
# allow-recursion List of netmasks that are allowed to recurse
#
Tony Adams
Sr. Systems Engineer
E Solutions Corporation
> -----Original Message-----
> From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> bounces at mailman.powerdns.com] On Behalf Of Udo Rader
> Sent: Friday, December 15, 2006 9:56 AM
> To: pdns-users at mailman.powerdns.com
> Subject: [Pdns-users] to recurse or not to recurse ...
>
> Hi,
>
> we are hosting a couple of domains using powerdns, filled by the LDAP
> backend.
>
> Now I've come across a site that tests DNS settings and essentially
for
> all the domains we host we get some warnings, so for example:
>
> -------CUT--------
> Took off 20 points since ns1.example.com does not respond
> authoritatively (can cause unexpected responses and add delays).
>
> Took off 10 points since ns1.example.com is an open DNS server (if
> abused, your DNS may be inaccessible, and over usage could result in
> slowdowns).
> -------CUT--------
>
> The first warning is about the notorious "authoritative" problem, dig
> clearly shows that the AA bit has been set, so that's probably a false
> positive.
>
> Yet the second warning frightens me a bit. This obviously means that
> everybody can query our name server for any other domain. So far this
> did not really scare me but after googling around this seems to be a
> risk.
>
> No I have 2 questions:
>
> #1 is this really a "risk" except for potentially burdening our name
> servers with queries from external clients?
>
> #2 and if it is a risk, how would I limit the recursion so that only
> our own domains are recursed? recursor.conf knows the auth-zone
> directive, yet I can hardly use it with the LDAP backend. Or maybe I
am
> missing something basic here?
>
> TIA
>
> Udo Rader
>
> --
> bestsolution.at EDV Systemhaus GmbH
> http://www.bestsolution.at
More information about the Pdns-users
mailing list