|
Bugtraq
mailing list archives
Re: recursive DNS servers DDoS as a growing DDoS problem
From: Ross Wheeler <rossw () albury net au>
Date: Wed, 5 Apr 2006 15:13:16 +1000 (EST)
If your goal is to eliminate the recursive resolution reflection
amplification, then you must disable it for all but trusted subnets.
This also defends the server from the more trivial of cache poisoning
attacks (assuming your own systems use the resolver as well).
I know this is a more "generic" problem, and not everyone runs bind/named,
but for those who do, is it sufficient to simply do this in named.conf:
acl "goodguys" {
(list of trusted peers who can request your zone files)
};
acl "locals" {
127.0.0.0/8;
(list of your subnets);
(list of TRUSTED hosts outside your network);
};
options {
allow-transfer { goodguys; };
allow-query { locals; };
allow-recursion { locals; };
};
then in each zone you are authorative for:
zone "mydomain.com" { type master;
file "zone.mydomain.com";
allow-query { any; };
};
(repeat for each authorative zone)
This lets anyone on your network, and others you might trust, full
recursive lookups, while simply denying recursion for everyone else, but
allows others to query your nameserver for domains YOU are authorative
for? Or am I missing something obvious... because this is how we've been
doing it for years.
RossW
 By Date 
By Thread
Current thread:
Re: recursive DNS servers DDoS as a growing DDoS problem Simon Boulet (Apr 04)
Re: recursive DNS servers DDoS as a growing DDoS problem Paul Stepowski (Apr 01)
RE: recursive DNS servers DDoS as a growing DDoS problem Måns Nilsson (Apr 04)
RE: recursive DNS servers DDoS as a growing DDoS problem Thomas Guyot-Sionnest (Apr 04)
|
Intro
