Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
userguide:dns:dnsmanager [2014/07/21 20:08] chris@virtbiz.comuserguide:dns:dnsmanager [2014/07/23 19:33] (current) chris@virtbiz.com
Line 39: Line 39:
   * **Open DNS Server**: __NOT RECOMMENDED!__  If you tick this box, your DNS server will be entirely open and will resolve DNS for anyone and everyone. //That is a really bad idea.// This exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges.   * **Open DNS Server**: __NOT RECOMMENDED!__  If you tick this box, your DNS server will be entirely open and will resolve DNS for anyone and everyone. //That is a really bad idea.// This exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges.
   * **Allow Cache access from these Networks**: You can limit which address ranges can query your server to specific IP addresses or ranges, but doing so will prevent other servers than those that are included in the IP range(s) you provide from accessing your DNS.    * **Allow Cache access from these Networks**: You can limit which address ranges can query your server to specific IP addresses or ranges, but doing so will prevent other servers than those that are included in the IP range(s) you provide from accessing your DNS. 
 +    * Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. Disabling caching is useful when operating this server on a private network.
   * **Forwarding Servers**: Forwarding domain name servers are used when Allow DNS Cache Access is enabled and when root domain name servers are not directly accessible due to a limited or restricted Internet connection. Please enter a series of four numbers between 0 and 255 separated by periods. For example, 192.168.1.1 is a valid entry.   * **Forwarding Servers**: Forwarding domain name servers are used when Allow DNS Cache Access is enabled and when root domain name servers are not directly accessible due to a limited or restricted Internet connection. Please enter a series of four numbers between 0 and 255 separated by periods. For example, 192.168.1.1 is a valid entry.
-  * **Zone Transfer Access by IP Address**: Enter the IP addresses that are allowed to download all records maintained by this domain name server through zone transfers. Zone transfers are used by secondary domain name servers to synchronize their records with primary domain name servers. The default value is to leave this field empty to refuse zone transfer requests.+    * If the BlueOnyx server is being used on a private network or in conjunction with a restrictive firewall, you can specify a forwarding DNS server(s) by IP address. If a DNS server cannot answer a DNS query, it forwards the query to the forwarding DNS server to get the needed response, then answers back to the client.  
 +  * **Zone Transfer Access by IP Address**: Enter the IP addresses that are allowed to download all records maintained by this domain name server through zone transfers.  
 +    * A zone transfer allows another DNS server to download the complete list of hosts maintained by your DNS server. Zone transfers are used by secondary domain name servers to synchronize their records with primary domain name servers. 
 +By default, zone transfers are not allowed to any domain. You must explicitly enter any domain names that are allowed to perform zone transfers, or no domain will be able to perform zone transfers.
 ==DNS Rate Limits== ==DNS Rate Limits==
 DNS Response Rate Limiting (DNS RRL) is an experimental protection feature for domain name servers. This mechanism keeps BIND 9 from being used in amplifying reflection denial of service attacks as well as partially protecting BIND 9 itself from some denial of service attacks. By default it should be enabled. DNS Response Rate Limiting (DNS RRL) is an experimental protection feature for domain name servers. This mechanism keeps BIND 9 from being used in amplifying reflection denial of service attacks as well as partially protecting BIND 9 itself from some denial of service attacks. By default it should be enabled.