[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.31.0604051503470.1886-100000@giroc.albury.net.au>
Date: Wed, 5 Apr 2006 15:13:16 +1000 (EST)
From: Ross Wheeler <rossw@...ury.net.au>
To: Tim <tim-security@...tinelchicken.org>
Cc: Anton Ivanov <arivanov@...segv.cx>, gboyce <gboyce@...belly.com>,
"Geo." <geoincidents@....net>, <bugtraq@...urityfocus.com>
Subject: Re: recursive DNS servers DDoS as a growing DDoS problem
> If your goal is to eliminate the recursive resolution reflection
> amplification, then you must disable it for all but trusted subnets.
> This also defends the server from the more trivial of cache poisoning
> attacks (assuming your own systems use the resolver as well).
I know this is a more "generic" problem, and not everyone runs bind/named,
but for those who do, is it sufficient to simply do this in named.conf:
acl "goodguys" {
(list of trusted peers who can request your zone files)
};
acl "locals" {
127.0.0.0/8;
(list of your subnets);
(list of TRUSTED hosts outside your network);
};
options {
allow-transfer { goodguys; };
allow-query { locals; };
allow-recursion { locals; };
};
then in each zone you are authorative for:
zone "mydomain.com" { type master;
file "zone.mydomain.com";
allow-query { any; };
};
(repeat for each authorative zone)
This lets anyone on your network, and others you might trust, full
recursive lookups, while simply denying recursion for everyone else, but
allows others to query your nameserver for domains YOU are authorative
for? Or am I missing something obvious... because this is how we've been
doing it for years.
RossW
Powered by blists - more mailing lists