[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nameservers open to world - with test output

On Sat, 3 Nov 2001 23:02, James wrote:
> Well, if your company runs the DNS for your website on those servers and
> you block outside IPs from querying from, no one on the internet will be
> able to go to your website.  :)
> Overall, I do not think it is a big problem, unless someone is pointing
> massive amounts of traffic to your DNS servers.  DNS traffic is usually
> very small UDP packets (I think like less than 512 bytes).  If it goes
> over that, it uses TCP.

I agree.  So I don't generally turn off the recursion function for public 
name servers even though it's easy to do.  Sometimes being able to do such 
recursive lookups from outside the network helps debugging network problems, 
something that saves an hour of my time will save the client more money than 
a year of bandwidth costs for DNS...

> But generally, I think to go over 512 bytes in one request would mean a
> zone transfer attempt (bad).

That is a matter of opinion.

When it's my choice I generally allow zone transfers.  Preventing zone 
transfers is just security by obscurity and doesn't gain much.  Allowing them 
allows smarter customers to give more detailed bug reports which can save 
time and money.

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: