[BlueOnyx:11718] Re: help with /var/log/messages? dns issue?

[George F. Nemeyer]

On Wed, 28 Nov 2012, webmaster wrote:

> When I got the bx box figured it should be the same?

Not necessarily.  Some of the BIND features have changed over time.
Notably, older BIND before 4.<something> would provide a root-server
listing answer to queries for which the server wasn't authoritative in
attempt to be helpful.  Later ones provide a 'refused' if recursion is
not allowed to the host making the query.

There's some BIND patches being proposed that may mitigate (but not
eliminate) some of the DoS attacks.  AFAIK, the patches aren't yet in
'production' releases yet.  Due to the way RedHat/CENTOS does version
updates, some changes may be incorporated into the repository updates
although the BIND version number itself appears older.

> I have read where this is bad but every time I would un-check it my
> world blew up so I checked it to make the issues go away

If you check it, *and* enter the IPs/networks you specifically want to
allow to do recursion, you should be ok.  Not specifying can default to
'any', which is Bad.

> It's is now Unchecked and everything hasn't blown up like before.

Times have changed.  Attacks are increasingly common, and vulnerable
servers as searched for and exploited by bots.

=^_^=  Tigerwolf