lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.31.0604051503470.1886-100000@giroc.albury.net.au>
Date: Wed, 5 Apr 2006 15:13:16 +1000 (EST)
From: Ross Wheeler <rossw@...ury.net.au>
To: Tim <tim-security@...tinelchicken.org>
Cc: Anton Ivanov <arivanov@...segv.cx>, gboyce <gboyce@...belly.com>,
	"Geo." <geoincidents@....net>, <bugtraq@...urityfocus.com>
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem



> If your goal is to eliminate the recursive resolution reflection
> amplification, then you must disable it for all but trusted subnets.
> This also defends the server from the more trivial of cache poisoning
> attacks (assuming your own systems use the resolver as well).

I know this is a more "generic" problem, and not everyone runs bind/named,
but for those who do, is it sufficient to simply do this in named.conf:


acl "goodguys" {
     (list of trusted peers who can request your zone files)
	};

acl "locals" {
        127.0.0.0/8;
        (list of your subnets);
	(list of TRUSTED hosts outside your network);
	};

options {
        allow-transfer { goodguys; };
        allow-query { locals; };
        allow-recursion { locals; };
};

then in each zone you are authorative for:

zone "mydomain.com" { type master;
        file "zone.mydomain.com";
        allow-query { any; };
};

(repeat for each authorative zone)



This lets anyone on your network, and others you might trust, full
recursive lookups, while simply denying recursion for everyone else, but
allows others to query your nameserver for domains YOU are authorative
for? Or am I missing something obvious... because this is how we've been
doing it for years.

RossW



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ