Sam Fourman Jr. wrote:
>> > I assume that if I want to host email for 10 different domains I have
>> > to have these set
>> >
>> > allow-recursion { any; };
>>
>> This allows anybody to use your nameserver as a resolver (e.g.
>> anyone can ask you to lookup domains for them). You shouldn't
>> do this at all without a very good reason (one example being if
>> you're providing DNS to VPN clients and filtering non-VPN traffic).
>> Doing so without other controls leaves you open to being an
>> attack amplifier for anyone who can send a UDP packet with an
>> invalid source address, and also may open you up to DNS poisoning.
>>
>> If you're currently using a setup that involves the same IP
>> address for both authoritative (domains you host) and recursive
>> queries (client DNS requests), you should get these split onto
>> separate addresses.
>>
>
> so if I understand this, the correct way to setup DNS
> is to have one nameserver do just recursive quires
> and a separate name server on a separate ip address have the actual domain
> files
Ah, you go wrong right at the start, when you use the phrase "the
correct way." ;-) There are many ways of doing this, and a fair number
of them are arguably correct. (Obviously many of the others range from
silly to really, really bad.) I suspect that Stuart Henderson and I
will just have to agree to respectfully disagree, a bit.
It is true that one of the easier ways of distinguishing between
providing recursive lookups for local resolvers and providing
non-recursive lookups of authoritative data for the world at large is to
simply run two servers on two IP addresses. Easier to prove that you've
locked things down appropriately, makes firewalling the former possible,
allows you to grow the two servers onto separate pieces of hardware if
you grow (I once got to watch an ISP split their DNS servers into pieces
when their hardware started staggering under the load--it was much more
painful than it had to be).
However, if you're not rolling in IP addresses and are pretty sure that
big growth is not in your DNS servers future, you can get pretty close
with some ACLs. For example, I have some servers which have something
along the lines of:
acl "clients" { <all the local ip addresses allowed to do recursive
lookups> };
acl "nameservers" { <all secondary namservers and management stations
allowed to do zone transfers> };
options {
....
allow-query {"clients"; };
allow-recursion {"clients"; };
allow-transfer {"nameservers"; };
};
zone "example.com" in {
type master;
file "master/db.example.com";
allow-query { any; };
};
The upshot is that client addresses can send queries, including
recursive ones, for anything. The rest of the world can only send
non-recursive queries for the zones for which this server is authoritative.
--Jon Radel
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
