[BlueOnyx:12712] Re: Proposed changes to BlueOnyx DNS (important!)
Chris Gebhardt - VIRTBIZ Internet
cobaltfacts at virtbiz.com
Mon Apr 1 08:05:09 -05 2013
On 3/31/2013 10:46 PM, Michael Stauber wrote:
> So what do you suggest?
> =======================
>
> a.) Do we bite into the sour apple and release this update that (for
> once) enforces a more secure DNS server setting (which can then be
> opened up as far as every admin desires)?
>
> IF we release this as I suggest, then some people will probably get
> upset when their DNS server no longer works as the open DDoS-attack-tool
> that it unwittingly might have become in the meantime.
>
> b.) Or do we go the safe and insecure route and only enforce ...
>
> allow-recursion { 127.0.0.1/32; };
>
> ... only on new installs and release it with ...
>
> allow-recursion { 0.0.0.0/0; };
>
> ... as it's now?
>
> Personally I tend to option (a) and want it locked own and damn the
> consequences. But I'm willing to listen to reason. :-)
>
> So let me know your thoughts. Thanks!
Of the 2 options, I think "a" is the direction to head in.
The one thing I am not excited about is that it adds another package to
the list that the BlueOnyx team will be taking responsibility for. If
that's a necessary thing, then so be it.
Personally, I cannot think of a reason that it would be necessary to run
open recursion at all. In addition, caching nameservice on the BlueOnyx
server does not seem like it would be a wise choice in my book. Let the
hosting appliance be a hosting appliance and get your DNS from a DNS
server. That's just me, and I know that my situation is not
necessarily representative of the larger body of users.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
More information about the Blueonyx
mailing list