howtos: avoid unrestricted recursive resolution in 4.0.x ALIAS example

author Walter Hop <walter@lifeforms.nl>

Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)

committer Walter Hop <walter@lifeforms.nl>

Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)
author Walter Hop <walter@lifeforms.nl>
Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)
committer Walter Hop <walter@lifeforms.nl>
Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)
diff --git a/docs/markdown/authoritative/howtos.md b/docs/markdown/authoritative/howtos.md

index e5d985f2919d673a06c4385c746fee7f5b35553b..2085bf52e2a1e978596f407aeae8c034c977be32 100644 (file)
--- a/docs/markdown/authoritative/howtos.md
+++ b/docs/markdown/authoritative/howtos.md
@@ -187,10 +187,11 @@ expand-alias=yes
  
  **note**: If `resolver` is unset, ALIAS expension is disabled!
  
-**note**: In PowerDNS Authoritative Server 4.0.x, the setting [`recursor`](settings.md#recursor) is used instead, and you should omit the [`expand-alias`](settings.md#expand-alias) setting:
+**note**: In PowerDNS Authoritative Server 4.0.x, the setting [`recursor`](settings.md#recursor) is used instead, and you should omit the [`expand-alias`](settings.md#expand-alias) setting. Note that setting [`recursor`](settings.md#recursor) will allow recursive queries to all clients by default, which you likely do not want for security reasons, so you should restrict this:
  
  ```
  recursor=[::1]:5300
+allow-recursion=::1, 127.0.0.1
  ```
  
  Then add the ALIAS record to your zone apex. e.g.:
author	Walter Hop <walter@lifeforms.nl>
	Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)
committer	Walter Hop <walter@lifeforms.nl>
	Thu, 15 Jun 2017 16:47:44 +0000 (18:47 +0200)