[nycbug-talk] dns abuse
Miles Nordin
carton at Ivy.NET
Mon Jan 19 15:18:54 EST 2009
>>>>> "mg" == Max Gribov <max at neuropunks.org> writes:
mg> decided to make . zone a master
that's how opennic/alternic/pacificroot and other bogus TLD's worked,
back when they existed. It shouldn't break anything if your db.root
is really a copy of the root zone. I don't think it even needs to be
a particularly up-to-date copy because all the dynamic-updating of
people maintaining their zones is happening at the zones one level
more specific than the root.
but the usual fix is to limit recursive service to your own ip's:
options {
/* fucking chinese pointing themselves at me */
allow-recursion { fw; };
};
acl localhost6 { ::1/128; };
acl fw { 192.168.0.0/16; 69.31.131.32/27; 2610:1f8:dc::/48; localhost; localhost6; };
you can still serve your local authoritative zones to the internet
even though you refuse recursive service to the internet. The root
servers themselves are configured this way.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20090119/2d98ed7e/attachment.bin>
More information about the talk
mailing list