<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<!-- Template generated by Exclaimer Mail Disclaimers on 03:32:51 Monday, 6 October 2014 -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">P.7fa4818c-738d-43c7-986c-2d0bca862c08 {
MARGIN: 0cm 0cm 0pt
}
LI.7fa4818c-738d-43c7-986c-2d0bca862c08 {
MARGIN: 0cm 0cm 0pt
}
DIV.7fa4818c-738d-43c7-986c-2d0bca862c08 {
MARGIN: 0cm 0cm 0pt
}
TABLE.7fa4818c-738d-43c7-986c-2d0bca862c08Table {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</style>
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"></p>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Turning off recursion in BIND isn’t really that difficult either.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In main options section of named.conf you set (among your other options):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">allow-recursion { internaldns; };<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You then create an ACL called internaldns. That can have multiple IPs or ranges e.g.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">acl "internaldns" { 192.168.1.9; 10.0.45/22; };<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In our case we also have an acl for externaldns to allow certain of our internet facing devices to also come in but that isn’t required for many folks – if
you need it you just add it to the allow-recursion statement as a second item and add the acl.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>James Sumners<br>
<b>Sent:</b> Monday, October 06, 2014 1:37 PM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Fwd: Under Attack, my dns servers<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Oct 6, 2014 at 1:14 PM, Lightner, Jeff <<a href="mailto:JLightner@dsservices.com" target="_blank">JLightner@dsservices.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You can and SHOULD turn off recursion from external facing interface as anyone coming to you should only be resolving the domains for which you are authoritative.
You can leave recursion on for the internal facing network but should do that only if your internal folks use your DNS servers to resolve external domains (e.g.
<a href="http://google.com" target="_blank">google.com</a>, <a href="http://yahoo.com" target="_blank">
yahoo.com</a> etc…).</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
PowerDNS makes this _super_ easy -- <a href="https://www.powerdns.com">https://www.powerdns.com</a><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
James Sumners<br>
<a href="http://james.roomfullofmirrors.com/">http://james.roomfullofmirrors.com/</a><br>
<br>
"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly
addicted."<br>
<br>
Missionaria Protectiva, Text QIV (decto)<br>
CH:D 59 <o:p></o:p></p>
</div>
</div>
</div>
<p></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"> </p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY: Arial; FONT-SIZE: 10pt" size="2">Athena<font size="1">®</font>, Created for the Cause</font><font size="1">™
</font></font></font></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><font size="2" face="Arial">Making a Difference in the Fight Against Breast Cancer</font></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><font size="2" face="Arial">_________________________________________________________</font></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">CONFIDENTIALITY NOTICE: This e-mail may contain privileged</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">or confidential information and is for the sole use of the intended</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">recipient(s). If you are not the intended recipient, any disclosure,</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">copying, distribution, or use of the contents of this information</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">is prohibited and may be unlawful. If you have received this
</font></span><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">electronic</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">transmission in error, please reply immediately to
</font></span><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">the sender that</font></span></p>
<p class="7fa4818c-738d-43c7-986c-2d0bca862c08"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><font color="#7d7d7d">you have received the message in error, and delete it. Thank you.<br>
</p>
</font></span>
<p></p>
<p></p>
<p></p>
</body>
</html>