Subject: Re: change named.conf to turn off recursion by default?
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Carl Brewer <carl@bl.echidna.id.au>
List: tech-net
Date: 03/06/2006 11:13:59
Steven M. Bellovin wrote:
> Given the increasing problem of DOS reflector attacks via the DNS -- see
> 
> 	http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
> 	http://cc.uoregon.edu/cnews/winter2006/recursive.htm
> 
> should we ship a named.conf that disables recursion?  OpenBSD has
> shipped that way since at least 2004.  

IMO, yes.

Running BIND requires that you have an idea of how to set it up.  As
long as the change is clearly documented I can't see it being
a problem.

Carl