|
BugTraq
RE: recursive DNS servers DDoS as a growing DDoS problem Mar 30 2006 09:08PM Geo. (geoincidents nls net) (2 replies) RE: recursive DNS servers DDoS as a growing DDoS problem Apr 03 2006 05:05AM MÃ¥ns Nilsson (mansaxel sunet se) RE: recursive DNS servers DDoS as a growing DDoS problem Mar 31 2006 05:38PM gboyce (gboyce badbelly com) (3 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Apr 03 2006 04:34PM Simon Boulet (simon nostalgeek com) Re: recursive DNS servers DDoS as a growing DDoS problem Apr 02 2006 07:40AM Anton Ivanov (arivanov sigsegv cx) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Apr 04 2006 02:54AM Tim (tim-security sentinelchicken org) (1 replies) RE: recursive DNS servers DDoS as a growing DDoS problem Mar 31 2006 06:27PM Geo. (geoincidents nls net) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Apr 03 2006 11:12PM Jim Pingle (jim hpcisp com) (1 replies) Re: recursive DNS servers DDoS as a growing DDoS problem Apr 05 2006 06:11AM Erwan David (Erwan David trusted-logic fr) |
|
Privacy Statement |
> If your goal is to eliminate the recursive resolution reflection
> amplification, then you must disable it for all but trusted subnets.
> This also defends the server from the more trivial of cache poisoning
> attacks (assuming your own systems use the resolver as well).
I know this is a more "generic" problem, and not everyone runs bind/named,
but for those who do, is it sufficient to simply do this in named.conf:
acl "goodguys" {
(list of trusted peers who can request your zone files)
};
acl "locals" {
127.0.0.0/8;
(list of your subnets);
(list of TRUSTED hosts outside your network);
};
options {
allow-transfer { goodguys; };
allow-query { locals; };
allow-recursion { locals; };
};
then in each zone you are authorative for:
zone "mydomain.com" { type master;
file "zone.mydomain.com";
allow-query { any; };
};
(repeat for each authorative zone)
This lets anyone on your network, and others you might trust, full
recursive lookups, while simply denying recursion for everyone else, but
allows others to query your nameserver for domains YOU are authorative
for? Or am I missing something obvious... because this is how we've been
doing it for years.
RossW
[ reply ]