bind: Expand description of services.bind.cacheNetworks

The new description should give more clear understanding of when to edit the option. I used NixOS to set up a DNS server that is authoritative for certain zones. The description of the `cacheNetworks` option made me think I needed to set it to `"any"` to allow people to query the zone I set up. Reading the source of the module would have clarified my understanding, but at the time I just read the description and thought little of it. Later I discovered I was getting tons of DNS requests and presumably being used for a DNS amplification attack or similar. I have fixed the problem now, but I would like the option to have a clearer description so others don't make the same mistake I did.
2024-09-21 04:49:01 +02:00 · 2019-10-23 09:50:47 -06:00 · 2019-10-23 09:50:47 -06:00 · 9abc97dc65
parent 943508a7fa
commit 9abc97dc65
1 changed files with 5 additions and 1 deletions
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@ -78,7 +78,11 @@ in
      cacheNetworks = mkOption {
        default = ["127.0.0.0/24"];
        description = "
-          What networks are allowed to use us as a resolver.
+          What networks are allowed to use us as a resolver.  Note
+          that this is for recursive queries -- all networks are
+          allowed to query zones configured with the `zones` option.
+          It is recommended that you limit cacheNetworks to avoid your
+          server being used for DNS amplification attacks.
        ";
      };