Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: recursive DNS servers DDoS as a growing DDoS problem

From: Ross Wheeler <rossw () albury net au>
Date: Wed, 5 Apr 2006 15:13:16 +1000 (EST)


If your goal is to eliminate the recursive resolution reflection
amplification, then you must disable it for all but trusted subnets.
This also defends the server from the more trivial of cache poisoning
attacks (assuming your own systems use the resolver as well).


I know this is a more "generic" problem, and not everyone runs bind/named,
but for those who do, is it sufficient to simply do this in named.conf:


acl "goodguys" {
     (list of trusted peers who can request your zone files)
        };

acl "locals" {
        127.0.0.0/8;
        (list of your subnets);
        (list of TRUSTED hosts outside your network);
        };

options {
        allow-transfer { goodguys; };
        allow-query { locals; };
        allow-recursion { locals; };
};

then in each zone you are authorative for:

zone "mydomain.com" { type master;
        file "zone.mydomain.com";
        allow-query { any; };
};

(repeat for each authorative zone)



This lets anyone on your network, and others you might trust, full
recursive lookups, while simply denying recursion for everyone else, but
allows others to query your nameserver for domains YOU are authorative
for? Or am I missing something obvious... because this is how we've been
doing it for years.

RossW
Previous By Date Next
Previous By Thread Next

Current thread: