Quoting Matthew Huff <mhuff@ox.com>:
Given the recent DNS amplification attacks, I've audit and updated our authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu templates, but one thing I see is that the dns queries to the . hint file are still occuring and are not being denied by our servers. For example:
27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view external-in: query: . IN NS + 27-Jan-2009 15:00:23.118 queries: client 64.57.246.146#33146: view external-in: query: . IN NS +
the named.conf has:
... ... ...
view "external-in" in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no;
zone "." in { type hint; file "db.cache"; }; ... ...
since you can't put a "allow-query { none; };" in a hint zone, what can I do to deny the query to the . zone file?
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Hi Matthew, I'm using the following with 9.5.1: view "external" { recursion no; allow-query-cache { none; }; zone "." IN { type hint; file "/var/named/named.ca"; And my logs indicate that the requests for . IN NS are being denied: Jan 28 08:40:38 web1 named[12337]: client 64.57.246.146#33453: view external: query (cache) './NS/IN' denied Jan 28 08:40:39 web1 named[12337]: client 67.192.144.0#41794: view external: query (cache) './NS/IN' denied Cheers, Jay