RE: DNS hits

[Bonno Bloksma <b.bloksma@tio.nl>]

Hi Glenn,

>> Actually the current Bind in stable is just a blessing in this respect.
>> It - by default- just allows recursion for localnet, localhost.
>
> This server is still Wheezy. The virtual websites didn't work on Jessie Apache (I have no idea why yet).
> 
>> So if you don't mess with it at all is does the right thing automagically.
> 
>> Most likely if you remove anything you tried to configure in the options it
>> will work just the way you want.
>
> I'd already done what Eduardo suggested in his post (config BIND to allow recursion from only a specified list of IPs), and all was well -- as soon as I tested it properly.
>
> FWIW, I ran dnstop for a while. I saw quite a bit of my own server at first, but over few minutes, its output turned into a list of hits on my domains.
> Almost all from the 52, 54 area (AWS). I don't know, but I assume dnstop is looking at packets before iptables processes them. If not, something is still badly broken.

If you configure BIND to just respond to local requests then dnstop might still see the requests coming from other ip numbers, BIND just might not respond to a recurvice query.
AFAIK iptables has nothing to do with this. You cannot block dns requests at the iptables level as it cannot distinguish between a request for your own domain, to which BIND should respond, and a recursive request for another domain, which BIND should ignore.

Bonno Bloksma