First and foremost, you need to upgrade your version of BIND. It is vulnerable to the recent DNS cache poisoning vulnerability that I'm sure you have heard about by now..
See http://www.isc.org/sw/bind/bind-security.php for more information. Josh -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Laws Sent: Wednesday, July 30, 2008 11:11 AM To: [email protected] Subject: Preventing recursion ... (preventing confusion?) OK, so I'm not running *real* BIND, but Redhat's "special" version (bind-9.2.4-22.el3). On my authoritative servers, I have allow-query set to 'any' (has to be that, of course) and allow-recursion set to an acl that allows just our inside networks. I *thought* that would allow folks to look up zones for which we were authoritative and give the e-finger to anyone off-campus asking for anything else. Apparently that's not quite the case. When I dig for, say, google.com from off-campus against my nameservers, I get one of two kinds of answers: From my master, I get A, NS, and glue for google.com. From my slaves, I get NS and glue only. I thought, that by setting allow-recursion to my own little part of the world, that any request for zones which I'm not authoritative would just get (pick your analogy) a blank stare or the e-finger? So, am I 1) confused about allow-recursion, 2) not correctly configured (see also #1) or 3) looking at a bug in RH's diddling of BIND? Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology [EMAIL PROTECTED] ----------------------------------------------------------------------- Feedback? Contact my director, Craig Cochell, [EMAIL PROTECTED] Thank you!
