From: Len Conrad [mailto:[EMAIL PROTECTED]] >What W2K recursion can't do is be restricted with ACL the way BIND >can. W2K recursion is either on or off. > >If the DNS is publicly accessible and recursion is on, then it's vulnerable >to being easily DOS'd with 1000's of spoofed queries, even from a single >source.
I hadn't thought of a scenario where internet-facing name servers needed recursion. We use split DNS with private IP addresses on my LAN. If you're using the same DNS servers to service both internal and internet clients, well... I see the issue. BIND probably would probably be the best option, although not a zero-cost one for most Windows networkers (non-trivial training and initial configuration hours). Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: There is only one basic human right, the right to do as you damn well please. And with it comes the only basic human duty, the duty to take the consequences. - PJ O'Rourke ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
