I've never actually used RRL, but from the manual, it appears to default to a
/24 prefix length to determine whether IPv4 clients are "similar" enough to be
lumped in the same bucket, for RRL purposes. That might need to be tweaked,
depending on the profile of whoever is attacking/abusing you. T
[ Classification Level: GENERAL BUSINESS ]
Dot "." instead of asterisk "*" as the zone name. Remove the "hint" zone,
since that doesn't apply when you host your own root zone.
You need a proper MNAME for the SOA RR too.
- Kevin
On Wed, Jul 21, 2021 at 11:18 A
[ Classification Level: GENERAL BUSINESS ]
I've done the match-destinations/query-source thing before, but in addition
to that, it should theoretically be possible to also use a shared cache
between the views, via attach-cache. I've never played with that directive
myself, however.
[ Classification Level: GENERAL BUSINESS ]
That chapter doesn't show any PTR records, for the reverse zones of any
*public* address range, pointing back to a "localhost" name. It only shows
a PTR record in the reverse zone for the 127.0.0/24 private range, which is
what enables a reverse lookup f
[ Classification Level: GENERAL BUSINESS ]
I just checked the ARM, and it denotes that "match-recursive-only"
(boolean) still exists for views. So, you might be able to set up a special
view with that, as well as a negated match-clients, specifying allow-query
{ none; }. Put it as the first view,
[ Classification Level: GENERAL BUSINESS ]
Duplicate RRs are suppressed, as per the standards.
RFC 2181, Section 5:
Each DNS Resource Record (RR) has a label, class, type, and data. It
is meaningless for two records to ever have label, class, type and
data all equal - servers should suppr
[ Classification Level: GENERAL BUSINESS ]
Ivan,
I've never done the Let's Encrypt thing myself, but from my skim
of the documentation, it appears they want you to place a TXT record in a
specific part of your domain's namespace hierarchy.
I sincerely hope you're not trying to write th
[ Classification Level: GENERAL BUSINESS ]
It's not a "BIND" solution, per se, but if you have a
sufficiently-sophisticated IPS (Intrusion Prevention System) you could have
it simply drop all queries of a particular QNAME, or any particular
combination of QNAME, QTYPE, QCLASS, before those packet
8 matches
Mail list logo