|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 16 Aug 2004 12:40:55 -0700 From: Bruce Pinsky <bep@whack.org> Reply-To: bep@whack.org To: Suresh Ramasubramanian <suresh@outblaze.com> Cc: Joe Shen <joe_hznm@yahoo.com.sg>, nanog@merit.edu In-Reply-To: <4120462C.9020401@outblaze.com> Errors-To: owner-nanog-outgoing@merit.edu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Suresh Ramasubramanian wrote: | | Joe Shen wrote: | |> We noticed there is continous name resolution requests |> from IP address outside of our address pool and also |> there is requests not conforming to DNS documents ( |> like those from 10/8, 192.168/16 or something for |> microsoft proxy server name). We think these request |> waste our resource and we don't want these system |> stable, secure and high performance. | | | If the resolver caches are only supposed to be accessed from your IP | space, I am sure you can easily throw in a router ACL to accept | connections on port 53 only from these IPs. | | Oh, and filter out bogons at your borders while you are at it (like for | example rfc1918 source addresses from outside your network) | And check out the CYMRU Secure Bind template at http://www.cymru.com/Documents/secure-bind-template.html - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFBIQ3HE1XcgMgrtyYRAuAXAJ4z6GI+X7nPL3wZZ2kvB30YGQ+B/QCeIagA mqIz2gcRVeY+g2LVBjLc6dQ= =iAkf -----END PGP SIGNATURE-----
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |