diff options
author | William G Hatch <william@hatch.uno> | 2019-10-23 09:50:47 -0600 |
---|---|---|
committer | Lassulus <github@lassul.us> | 2019-11-19 22:24:30 +0100 |
commit | 9abc97dc652a88c79105de0062dee4bcb5eedf23 (patch) | |
tree | ff65e0040f91cf8a4271a736d570ceed3a59962b /nixos/modules/services/networking/bind.nix | |
parent | 943508a7fa95ce6aa8f14a9a717881e436b3816e (diff) | |
download | nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar.gz nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar.bz2 nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar.lz nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar.xz nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.tar.zst nixpkgs-9abc97dc652a88c79105de0062dee4bcb5eedf23.zip |
bind: Expand description of services.bind.cacheNetworks
The new description should give more clear understanding of when to edit the option. I used NixOS to set up a DNS server that is authoritative for certain zones. The description of the `cacheNetworks` option made me think I needed to set it to `"any"` to allow people to query the zone I set up. Reading the source of the module would have clarified my understanding, but at the time I just read the description and thought little of it. Later I discovered I was getting tons of DNS requests and presumably being used for a DNS amplification attack or similar. I have fixed the problem now, but I would like the option to have a clearer description so others don't make the same mistake I did.
Diffstat (limited to 'nixos/modules/services/networking/bind.nix')
-rw-r--r-- | nixos/modules/services/networking/bind.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 06af4dbcca4..d09c6735e12 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -78,7 +78,11 @@ in cacheNetworks = mkOption { default = ["127.0.0.0/24"]; description = " - What networks are allowed to use us as a resolver. + What networks are allowed to use us as a resolver. Note + that this is for recursive queries -- all networks are + allowed to query zones configured with the `zones` option. + It is recommended that you limit cacheNetworks to avoid your + server being used for DNS amplification attacks. "; }; |