Bugtraq mailing list archives
Re: recursive DNS servers DDoS as a growing DDoS problem
From: Ross Wheeler <rossw () albury net au>
Date: Wed, 5 Apr 2006 15:13:16 +1000 (EST)
If your goal is to eliminate the recursive resolution reflection amplification, then you must disable it for all but trusted subnets. This also defends the server from the more trivial of cache poisoning attacks (assuming your own systems use the resolver as well).
I know this is a more "generic" problem, and not everyone runs bind/named, but for those who do, is it sufficient to simply do this in named.conf: acl "goodguys" { (list of trusted peers who can request your zone files) }; acl "locals" { 127.0.0.0/8; (list of your subnets); (list of TRUSTED hosts outside your network); }; options { allow-transfer { goodguys; }; allow-query { locals; }; allow-recursion { locals; }; }; then in each zone you are authorative for: zone "mydomain.com" { type master; file "zone.mydomain.com"; allow-query { any; }; }; (repeat for each authorative zone) This lets anyone on your network, and others you might trust, full recursive lookups, while simply denying recursion for everyone else, but allows others to query your nameserver for domains YOU are authorative for? Or am I missing something obvious... because this is how we've been doing it for years. RossW
Current thread:
- Re: recursive DNS servers DDoS as a growing DDoS problem, (continued)
- Re: recursive DNS servers DDoS as a growing DDoS problem Jim Pingle (Apr 04)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Jim Pingle (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Erwan David (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 03)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Tim (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Tim (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Ross Wheeler (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Anton Ivanov (Apr 09)
- RE: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 04)
- Re: recursive DNS servers DDoS as a growing DDoS problem Gadi Evron (Apr 09)
- Re: recursive DNS servers DDoS as a growing DDoS problem Geo. (Apr 09)