That ought to work, and work well. This will not impact outside name servers that query your name server, because they send iterative queries. If they're sending recursive queries, they're abusing your server. I can't see any problems with this approach.
If you have authoritative data in the third view, make sure that when the first view wants to look it up, its iterative query to the server machine itself is routed through to the third view (rather than being captured by the first view). Chris Buxton Men & Mice On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote: > Our DNS server occasionally get requests for recursion with forged src > addresses. > Currently our server returns "Standard query response, Refused" since > our named.conf > only allows recursion for our internal machines. This, of course, > results in the poor > machine whose address was forged receiving spurious traffic. > > Some of the Cisco firewalls support DNS inspection and can be > configured to drop > requests which want recursion. What are the ramifications of enabling > this? > > Can bind be configured to do this? I was thinking about something > like: > > view "internal" { > match-clients { localhost; localnets; }; > ... > } > > view "external-recursive" { > match-clients { any; }; > match-recursive-only yes; > blackhole { any}; > } > > view "external" { > ... > } > > -- John > [EMAIL PROTECTED] > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users