nanog mailing list archives

Re: The power of default configurations

From: Jon Lewis <jlewis () lewis org>
Date: Thu, 7 Apr 2005 14:02:11 -0400 (EDT)


On Thu, 7 Apr 2005, Eric A. Hall wrote:

This setup works if you know the server is the last resort for your local
clients. It doesn't work as a default install unless you are also willing
to scream warnings about changing the defaults everytime named.conf is
modified for local use.


Would you really have to scream?  i.e. named (at least on redhat) comes
with something like:

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
$TTL    86400
$ORIGIN localhost.
@                       1D IN SOA       @ root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        1D IN A         127.0.0.1

How many admins mess with that?  Unless they had reason to (i.e. maybe
they use some 1918 space internally and want to setup DNS for it), I doubt
that they'd remove similar zone entries intended to be a sink for RFC1918
PTR queries.

Besides which, you'd really prefer to have an internal filter kill the
queries before they are sent to the root (as part of chasing down the
delegation chain), or before it was sent to the authoritative servers for
in-addr.arpa. (if such was already learned), rather than make users
remember to change the configuration file.


Defining the zones locally keeps their queries from getting to the
root/in-addr.arpa servers.

I think I agree with you on losing the * entry, and just letting it return
nxdomain.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Current thread:

Re: botted hosts, (continued)
- - - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - The power of default configurations Sean Donelan (Apr 06)
    - Re: The power of default configurations JP Velders (Apr 06)
    - Re: The power of default configurations Florian Weimer (Apr 06)
    - Re: The power of default configurations Sean Donelan (Apr 06)
    - Re: The power of default configurations Duane Wessels (Apr 07)
    - Re: The power of default configurations Paul Vixie (Apr 07)
    - Re: The power of default configurations Eric A. Hall (Apr 06)
    - Re: The power of default configurations Jon Lewis (Apr 07)
    - Re: The power of default configurations Eric A. Hall (Apr 07)
    - Re: The power of default configurations Jon Lewis (Apr 07)
    - Re: The power of default configurations Eric A. Hall (Apr 07)
    - Re: The power of default configurations Jon Lewis (Apr 07)
    - Re: The power of default configurations Eric A. Hall (Apr 07)
    - Re: The power of default configurations just me (Apr 08)
    - Re: The power of default configurations Eric A. Hall (Apr 08)
    - Re: The power of default configurations Mark Andrews (Apr 06)
  - Re: botted hosts Suresh Ramasubramanian (Apr 04)
  - Re: botted hosts Christopher L. Morrow (Apr 04)
- Re: botted hosts Dean Anderson (Apr 04)
  - Message not available
    - Re: botted hosts John Dupuy (Apr 04)

(Thread continues...)