Home page logo

nanog logo nanog mailing list archives

Tightened DNS security question re: DNS amplification attacks.
From: Matthew Huff <mhuff () ox com>
Date: Tue, 27 Jan 2009 15:04:19 -0500

Given the recent DNS amplification attacks, I've audit and updated our
authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu
templates, but one thing I see is that the dns queries to the . hint file
are still occuring and are not being denied by our servers. For example:

27-Jan-2009 15:00:22.963 queries: client view
external-in: query: . IN NS +
27-Jan-2009 15:00:23.118 queries: client view
external-in: query: . IN NS +

the named.conf has:


view "external-in" in {
  match-clients { any; };
  recursion no;
  additional-from-auth no;
  additional-from-cache no;

  zone "." in {
    type hint;
    file "db.cache";

since you can't put a "allow-query { none; };" in a hint zone, what can I do
to deny the query to the . zone file?

Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

Attachment: Matthew Huff.vcf

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]