> Am 06.05.2021 um 16:45 schrieb Tony Finch <d...@dotat.at>:
>
> Axel Rau <axel....@chaos1.de> wrote:
>
>> I have,
>>
>> allow-query { any; };
>> allow-query-cache { recursive-users; };
>> allow-recursion { recursive-users; };
>>
>> How can I make sure that none recursive-users get a REFUSED if query is
>> recursive?
>
> Weird! I think your config should do what you want so I wonder why it
> isn't working. Your server is responding to the problem queries with a
> referral from the root zone, so have you configured your server with a
> local authoritative copy of the root?
Yes.
>
> There's a broader issue here:
>
> Usually when you have a server that is providing recursive service to
> anyone, it is best to set the allow-query ACL to cover just your users, so
> everyone else gets REFUSED.
>
> This means that your recursive server cannot also be used as an
> authoritative server advertised in NS records. Your public authoritative
> servers should be authoritative-only and not offer recursion to anyone.
>
>> PS: I want to minimize the responses to this amplification attack:
>
> Ooh, RRSIG queries are fun. They are like a stealth ANY query.
>
> BIND has several tools for dealing with this kind of junk:
>
> * RRL is very effective
>
> * minimal-any also minimizes responses to RRSIG queries
>
> * minimal-responses can also help to reduce packet sizes
>
> Your server is responding with a referral from the root, so minimal-any
> won't have any effect on the response. And because it's a referral, the
> glue etc. is not optional, so there's nothing that minimal-responses can
> omit. So in your situation the most useful things to do would be:
>
> * tighten up your allow-query ACL
>
> * if you can't do that, use RRL (you can add recursive-users to the
> exempt-clients list)
>
> * configure separate views for recursive-users and others; do not
> include the root zone in your external view
Currently, I have:
minimal-responses yes;
require-server-cookie yes;
rate-limit {
responses-per-second 5;
exempt-clients { recursive-users; };
};
which do not really help.
This NS has some other clients in the DMZ LAN, so I need Views.
I gave up with views years ago and I have now to learn to use them with all the
recent stuff, like in-view.
in-view can be helpful to reference the auth zones in the local view, I guess.
Thanks for your your comprehensive explanation,
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
