On 2012-09-17 14:36, Gilles Detillieux wrote:
My understanding is that open DNS servers that allow unrestricted recursion are frowned upon these days, for the very reasons for which you've expressed concern. I believe best practice nowadays is to specify a limited set of subnets for which you allow recursion. For example, at the U of M we'll typically include something like the following in the "options" section of our named.conf files, to prevent recursive lookups from outside users:
allow-recursion { 140.193.0.0/16; 130.179.0.0/16; };
Another way of doing this, which would allow even more flexibility in configuring BIND for internal vs external access is to define two views:
view internal_resolver { match-clients { YOUR.SUB.NET.ADDR/CIDR; }; match-destinations { YOUR.SUB.NET.ADDR/CIDR; }; recursion yes; include "/etc/named.internal.zones"; };
view external_resolver { match-clients { any; }; recursion no; include "/etc/named.external.zones"; };