bind: Expand description of services.bind.cacheNetworks

The new description should give more clear understanding of when to
edit the option.

I used NixOS to set up a DNS server that is authoritative for certain
zones.  The description of the `cacheNetworks` option made me think I
needed to set it to `"any"` to allow people to query the zone I set
up.  Reading the source of the module would have clarified my
understanding, but at the time I just read the description and thought
little of it.  Later I discovered I was getting tons of DNS requests
and presumably being used for a DNS amplification attack or similar.
I have fixed the problem now, but I would like the option to have a
clearer description so others don't make the same mistake I did.

1 files changed, 5 insertions, 1 deletions

diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
index 06af4dbcca4..d09c6735e12 100644
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@@ -78,7 +78,11 @@ in
       cacheNetworks = mkOption {
         default = ["127.0.0.0/24"];
         description = "
-          What networks are allowed to use us as a resolver.
+          What networks are allowed to use us as a resolver.  Note
+          that this is for recursive queries -- all networks are
+          allowed to query zones configured with the `zones` option.
+          It is recommended that you limit cacheNetworks to avoid your
+          server being used for DNS amplification attacks.
         ";
       };