Would implementing response rate limiting (DNS RRL) on BIND cause loss of legitimate traffic? For example, if only 5 responses are allowed per second, and ALL of these responses are in response to an attack, won't legitimate packets be harmed as a result? Or does “allow x responses per second†actually mean “allow x responses per second per destination IP�
Next, how are “forwarding†and “recursion†related in BIND? Specifically, I am having trouble with this example scenario:
But if the recursion option is enabled for the 192.168.1.0/24 range on the same server (192.168.1.240 in this example), the query is allowed through.
Why must I enable recursion when I've already enabled forwarding to the other server?
Next, how are “forwarding†and “recursion†related in BIND? Specifically, I am having trouble with this example scenario:
- NS server 1: hostname ns1, IP 192.168.1.227, authoritative for domain “example.orgâ€. Forwarding is enabled to IP 192.168.1.240.
- NS server 2: hostname ns2, IP 192.168.1.240, authoritative for domain “test.orgâ€. Forwarding is enabled to IP 192.168.1.227.
- In each named.conf global options section, recursion is set to 'no'. In the same section, “allow-query†is set to 192.168.1.0/24.
nslookup queries on each of these servers for the fully qualified domain name of the other server from a host in that IP range: nslookup ns1.example.org 192.168.1.240 I get messages like these in the log:
Code:
client 192.168.1.124#9153: query (cache) 'ns1.example.org/A/IN' deniedWhy must I enable recursion when I've already enabled forwarding to the other server?
