Securing DNS Question
We've secured approximately a dozen or so RedHat Linux and FreeBSD name servers running Bind 8.4.1 (a H-Sphere requirement) where we restrict zone transfers and recursion to the local area network and the H-Sphere servers directly involved in the H-Sphere cluster.
The "options" area of /etc/named.conf would include the following settings:
allow-transfer { xfer; };
allow-query { any; };
allow-recursion { recursive; };
blackhole { bogon; };
"xfer" would be the localnets plus the name servers, and recursion would include the H-Sphere cluster.
Queries would be allowed for anyone.
We had a set up this week where allow-recursion had to be set for "any" in order for the mail server to find msn.com or for a server outside the network to query msn.com against the name servers that were secured.
If it matters, the servers in question are hosted with Rackspace.com.
Questions:
1. Has anyone run into this in the past where they had to open up recursive queries where under normal circumstances you keep it locked down?
If so, what were the circumstances you had to allow it open?
2. Could it be the way rackspace.com has their network set up?
3. Any recommendations for changes to have recursive queries be more restrictive without causing mail server problems?
Thank you.
