At 5:29 PM +0700 2002/10/12, Robert Elz wrote:
Scan the interfaces (and their netmasks). BIND does that already. Of course, you can always add or over-ride network definitions.How do you propose that it figure out what is a "local" network and what isn't? The only way would be explicit config, and other than configuring 0/0 as "local" what you create is a maintenance nighthmare.
By turning off recursive/caching for non-local clients, you do reduce abuse of services (and potential DoS issues), but more importantly you teach them that they need to be running their own nameservers, and hopefully those machines will be more resistant to cache pollution/poisoning.And in any case, answering queries for random clients from all over the place isn't a real security/reliability problem for anyone other than the random clients. They're the ones choosing to query some random remote server, so they can be expected to either understand what they're doing, or simply not care.
I disagree. Many people seem to think they know how they should be run, but they are wrong. We should make the software more idiot-resistant.I also half suspect that it is a bit late for this. People have already now learned how DNS servers should be run,
That capability should exist, yes. But it should not be the default configuration. At the very least, if you were to turn on authoritative service and recursive/caching service on the same machine, the latter should be restricted to local clients.and for the majority, that's a server that answer queries for local and remote users alike - doing recursive lookups when appropriate.
I'm not suggesting that we make it impossible. Just that we make it optional and flip the switch the other way by default.Make it impossible to work that way, and much of the population will simply not use the new implementation.
Maybe. My experience is that the vast majority of people just take the default (whatever that is). If we can make the default more secure, then most people will benefit.Make it optional (as you suggested) and much of the population will simply turn the switch back to the current mode.
--
Brad Knowles, <[EMAIL PROTECTED]>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <[EMAIL PROTECTED]>.
