Use the following directive in the pdns.conf file to limit recursion to specific networks.
################################# # allow-recursion List of netmasks that are allowed to recurse # Tony Adams Sr. Systems Engineer E Solutions Corporation > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:pdns-users- > [EMAIL PROTECTED] On Behalf Of Udo Rader > Sent: Friday, December 15, 2006 9:56 AM > To: [email protected] > Subject: [Pdns-users] to recurse or not to recurse ... > > Hi, > > we are hosting a couple of domains using powerdns, filled by the LDAP > backend. > > Now I've come across a site that tests DNS settings and essentially for > all the domains we host we get some warnings, so for example: > > -------CUT-------- > Took off 20 points since ns1.example.com does not respond > authoritatively (can cause unexpected responses and add delays). > > Took off 10 points since ns1.example.com is an open DNS server (if > abused, your DNS may be inaccessible, and over usage could result in > slowdowns). > -------CUT-------- > > The first warning is about the notorious "authoritative" problem, dig > clearly shows that the AA bit has been set, so that's probably a false > positive. > > Yet the second warning frightens me a bit. This obviously means that > everybody can query our name server for any other domain. So far this > did not really scare me but after googling around this seems to be a > risk. > > No I have 2 questions: > > #1 is this really a "risk" except for potentially burdening our name > servers with queries from external clients? > > #2 and if it is a risk, how would I limit the recursion so that only > our own domains are recursed? recursor.conf knows the auth-zone > directive, yet I can hardly use it with the LDAP backend. Or maybe I am > missing something basic here? > > TIA > > Udo Rader > > -- > bestsolution.at EDV Systemhaus GmbH > http://www.bestsolution.at _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
