[BlueOnyx:12593] Re: DNS Spamming

[George F. Nemeyer]

On Wed, 20 Mar 2013, Chris Gebhardt - VIRTBIZ Internet wrote:

> I wonder if it would be best to re-title the option as "Permit
> non-authoritative response" or "Allow Recursion".  Possibly add a note
> to the effect of "NOT RECOMMENDED. Do not enable unless you know what
> you're doing."

I agree that the labeling could be better, and possibly locating it next
to the box where IPs allowed to recurse go.  I'd also recommend
pre-populating the box with "localhost; localnets" just to be sure there's
not a default of "any" and that the cache setting checkbox at least
doesn't let the server become wide open.

Cache and recursion are related, in that you (apparently) need recursion
to query the cache, so no cache means also mean no recursion (and in BX,
it actually sets/unsets the "allow-recursion" string in the real config
file).  Also, I think that in later BIND versions, there was a separation
of certain CACHE and RECURSION settings and the way they inter-related.

I remember digging into this issue a while back, and I seem to recall that
change plus a number of other changes that happened around the transition
from RH 4.x to 5.x, and BIND 9.4 to 9.5.  I do remember getting even more
confused by some of the unclear language in various BIND documents and
third-party articles.  I'd still don't feel I've got a good grasp on what
some combinations really do.  At the time, I worked on a suggestion
posting for the GUI section layout, but I may have never actually posted
it.

> Also, I don't recall if the checkbox is on or off by default.  My call
> is it should be off by default.

Not sure myself.

> This isn't because what is in the BlueOnyx GUI is wrong, but I think
> there are plenty of BlueOnyx users that may not fully understand

I'd bet on that.  I'm one. :)

> I'm having a hard time thinking of good scenarios that would make it a
> good idea to have caching turned on.

If machines on your local network look at your own servers, at least
something needs to allow recursion.  If everything looks to the upstream
ISP, then no.  The advantage, I presume, would be to keep most DNS
activity 'internal' to the local network(s) rather than sending everything
upstream.  It was likely more important back when outside bandwidth was
much more limited and expensive.

> Usually, the ISP provides recursive nameservers.  We provide recursion
> to all of our customers on dedicated DNS hosts that are locked down to
> only provide replies to subnets that we supply.  I believe that is the
> norm.

It's what we do, too.

> Therefore, I can't think of many reasons that one would need a
> BlueOnyx box to also serve recursive queries.  But of course I may be
> myopic and there could be something I just haven't thought of.

Not serve the queries to outside world for sure!

=^_^=  Tigerwolf