> On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann < hfollm...@itcfollmann.com > wrote
Actually the current Bind in stable is just a blessing in this respect. > It -by default- just allows recursion for localnet, localhost. > This server is still Wheezy. The virtual websites didn't work on Jessie Apache (I have no idea why yet). > So if you don't mess with it at all is does the right thing automagically. > > Most likely if you remove anything you tried to configure in the options it > will work just the way you want. > I'd already done what Eduardo suggested in his post (config BIND to allow recursion from only a specified list of IPs), and all was well -- as soon as I tested it properly. FWIW, I ran dnstop for a while. I saw quite a bit of my own server at first, but over few minutes, its output turned into a list of hits on my domains. Almost all from the 52, 54 area (AWS). I don't know, but I assume dnstop is looking at packets before iptables processes them. If not, something is still badly broken. Also FWIW, At github there's a very nice shell script that downloads, from Amazon, a list of the nets in AWS, creates iptables DROP commands for them, and enters the commands into your iptables filter. Takes a little futzing to make it run on Wheezy, but it runs out of the box on Jessie: https://github.com/corbanworks/aws-blocker/blob/master/aws-blocker The router seems reasonably quiet right now. Maybe the script kiddies are all at church, praying for their souls... -- Glenn English
