As we've already pointed out it is something in the way your system is configured (you're doing everything in global options instead of using views to separate the different "classes" of users) and that you are running both authoritative and caching functions on the same server.
You can create 2 views "authorised" and "everyone else" which both reference the same domain zone files so you dont need to duplicate the zones. For the authorised view there is an ACL limiting who can access the view, the view also has recursion enabled. For the unauthorised view it is listed second in the config file, there is an "any" ACL on the view and recursion is explicitly disabled. That should do what you want it to do. Also, do you really need to run caching services for your external customers? 8.8.8.8 and 8.8.4.4 are there for this type of requirement. DNS amplification problems are only going to get worse in future given the effects enabling DNSSEC cause, so if you are going to take on hosting your own DNS be sure your pipe has plenty of bandwidth otherwise I'd generally leave it to the ISPs who have enough bandwidth to deal with a DDoS. Steve _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
