[dns-operations] Best Practices in DNS security

Lutz Donnerhacke lutz at iks-jena.de
Fri Mar 17 08:17:46 UTC 2006

* Paul Vixie wrote:
> some answers based on my BIND9 experiences.
> i've found that the best thing to do is an allow-query directive listing
> the local address space.  firewalls can theoretically be better, but are
> usually harder to reconfigure when new "inside" address space is added.
> note that there is an allow-recursion ACL that doesn't do what most folks
> think it does.  this ACL will prevent recursion from being done on behalf
> of non-ACL-matching source addresses, but still gives access to authority
> data or previously-cached recursive data.  my advice is, don't use this.

Following the discussions of amplifying attacks, I tested our bind9.3.2
installations. The tested config was:
  acl iks {; 2001:4bd8::/32; };
  options {
    allow-query {iks;};
    # no allow-recursion statement
  authoritive zone data

This configuration allows remote clients to query recursivly.

After adding "allow-recursion {iks;};" to the option list, the servers do
behave as expected: REFUSED for remote queries other than authoritive.

More information about the dns-operations mailing list