DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)

DNS Configuration on the NonStop Server

HP DNS Configuration and Management Manual—529432-003

3-11

Use ACLs

Use ACLs to Restrict Recursion

Figure 3-6 shows how a corporation like HP might use BIND security options to

connect to the Internet.

By default, a DNS server answers queries from any client resolver. Queries received

from client resolvers are typically recursive; that is, the client resolver asks the DNS

server to find the answer on the client's behalf. Finding the answer requires the DNS

server to send queries to several other name servers. (See Name Servers: Recursive

and Nonrecursive Resolution on page A-8.) This process of request and referral puts a

heavy load on your DNS servers

named process and could expose the name server to

a denial-of-service attack from the Internet whereby a malicious user floods the name

server with recursive queries.

Figure 3-6. ACL Example: Internet

Internet

vst026.vsd

external

HP internal

HP-internal roots

! internal hp.com root servers

(update manage db.hp,

db.15; an SOA for DP.HP,

DB.15)

! forward queries about outside

world to HP external servers

! allow-query {hp_hosts;};

allow-transfer {hp_servers;};

Firewall

HP-external servers

! only allow port 53

traffic

! selected RRs for

hp.com

! delegated by

INTERNIC root,

COM, as servers

for hp.com, 15.in-

addr.arpa

! allow-query

(any;);

! allow-transfer

{none; };