> Am 06.05.2021 um 16:45 schrieb Tony Finch <d...@dotat.at>: > > Axel Rau <axel....@chaos1.de> wrote: > >> I have, >> >> allow-query { any; }; >> allow-query-cache { recursive-users; }; >> allow-recursion { recursive-users; }; >> >> How can I make sure that none recursive-users get a REFUSED if query is >> recursive? > > Weird! I think your config should do what you want so I wonder why it > isn't working. Your server is responding to the problem queries with a > referral from the root zone, so have you configured your server with a > local authoritative copy of the root?
Yes. > > There's a broader issue here: > > Usually when you have a server that is providing recursive service to > anyone, it is best to set the allow-query ACL to cover just your users, so > everyone else gets REFUSED. > > This means that your recursive server cannot also be used as an > authoritative server advertised in NS records. Your public authoritative > servers should be authoritative-only and not offer recursion to anyone. > >> PS: I want to minimize the responses to this amplification attack: > > Ooh, RRSIG queries are fun. They are like a stealth ANY query. > > BIND has several tools for dealing with this kind of junk: > > * RRL is very effective > > * minimal-any also minimizes responses to RRSIG queries > > * minimal-responses can also help to reduce packet sizes > > Your server is responding with a referral from the root, so minimal-any > won't have any effect on the response. And because it's a referral, the > glue etc. is not optional, so there's nothing that minimal-responses can > omit. So in your situation the most useful things to do would be: > > * tighten up your allow-query ACL > > * if you can't do that, use RRL (you can add recursive-users to the > exempt-clients list) > > * configure separate views for recursive-users and others; do not > include the root zone in your external view Currently, I have: minimal-responses yes; require-server-cookie yes; rate-limit { responses-per-second 5; exempt-clients { recursive-users; }; }; which do not really help. This NS has some other clients in the DMZ LAN, so I need Views. I gave up with views years ago and I have now to learn to use them with all the recent stuff, like in-view. in-view can be helpful to reference the auth zones in the local view, I guess. Thanks for your your comprehensive explanation, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users