[BlueOnyx:12590] Re: DNS Spamming
Chris Gebhardt - VIRTBIZ Internet
cobaltfacts at virtbiz.com
Wed Mar 20 16:32:23 -05 2013
On 3/20/2013 3:51 PM, George F. Nemeyer wrote:
> On Mon, 18 Mar 2013, Will Nordmeyer wrote:
>
>> Last night (actually over the past few days), my server has been
>> hammered with DNS requests
>
> You may have been a unwitting part of this:
>
> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
>
> In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's
> a checkbox labeled "Cache Record Lookups". This sounds like it might be a
> good thing, but what it's really doing is telling the DNS server to "Allow
> Recursion" if checked.
George brings up a good point here, which is the phrasing of the
recursion / caching option in the BlueOnyx GUI.
I wonder if it would be best to re-title the option as "Permit
non-authoritative response" or "Allow Recursion". Possibly add a note
to the effect of "NOT RECOMMENDED. Do not enable unless you know what
you're doing."
Also, I don't recall if the checkbox is on or off by default. My call
is it should be off by default.
This isn't because what is in the BlueOnyx GUI is wrong, but I think
there are plenty of BlueOnyx users that may not fully understand
I'm having a hard time thinking of good scenarios that would make it a
good idea to have caching turned on. Usually, the ISP provides
recursive nameservers. We provide recursion to all of our customers on
dedicated DNS hosts that are locked down to only provide replies to
subnets that we supply. I believe that is the norm. Therefore, I
can't think of many reasons that one would need a BlueOnyx box to also
serve recursive queries. But of course I may be myopic and there could
be something I just haven't thought of.
Anyhow, there goes my 2 cents for the day.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
More information about the Blueonyx
mailing list