Maxim Konovalov wrote: > [ Bikeshed zone ] > > I think we need to stop spread misconfigured named's too. > Any objections? It seems clear that people who want to run a recursive nameserver will be able to change this if your proposed change is made. However, which problem that you are trying to solve with it? Yes, people can send queries with a spoofed sender to perform a DoS, and yes, permitting recursive queries lets the attacker choose a large response from any zone rather than having to tailor the attack to each nameserver. But querying each individual nameserver for the SOA record of it's domain would do just about as well for a DoS, and besides, you can construct a DoS attack using spoofed traffic via any open service, from chargen to HTTP.... The right solution to that problem is egress filtering of spoofed traffic at the ISP-level. [1] I'd be happier if named grew a mechanism to rate-limit queries made by foreign networks (or local ones, for that matter), rather than this change. [2] -- -Chuck [1]: http://www.mit.edu/~rbeverly/papers/spoofer-sruti05.html [2]: serial-query-rate exists, but isn't really what's needed. Perhaps no change in BIND is going to solve the broader problem that 25% of the netblocks out there permit spoofing-- a more generalized solution in the network stack (similar to net.inet.icmp.icmplimit) rather than in a specific application might do, or perhaps at the firewall level via dummynet or equivalent. > Index: named.conf > =================================================================== > RCS file: /home/ncvs/src/etc/namedb/named.conf,v > retrieving revision 1.22 > diff -u -p -r1.22 named.conf > --- named.conf 5 Sep 2005 13:42:22 -0000 1.22 > +++ named.conf 7 Jun 2006 21:56:26 -0000 > _at__at_ -30,6 +30,13 _at__at_ options { > // > // forward only; > > +// Prevent external networks from using us to query domains we are not > +// authoritative for. > +// > + allow-recursion { > + localhost; Surely this should be localnets...? > + }; > + > // If you've got a DNS server around at your upstream provider, enter > // its IP address here, and enable the line below. This will make you > // benefit from its cache, thus reduce overall DNS traffic in the Internet. >Received on Thu Jun 08 2006 - 04:08:44 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC