Re: named recursive queries

From: Chuck Swiger <cswiger_at_mac.com>
Date: Wed, 07 Jun 2006 23:29:58 -0400
Maxim Konovalov wrote:
> [ Bikeshed zone ]
> 
> I think we need to stop spread misconfigured named's too.
> Any objections?

It seems clear that people who want to run a recursive nameserver will be able 
to change this if your proposed change is made.  However, which problem that 
you are trying to solve with it?

Yes, people can send queries with a spoofed sender to perform a DoS, and yes, 
permitting recursive queries lets the attacker choose a large response from 
any zone rather than having to tailor the attack to each nameserver.

But querying each individual nameserver for the SOA record of it's domain 
would do just about as well for a DoS, and besides, you can construct a DoS 
attack using spoofed traffic via any open service, from chargen to HTTP....

The right solution to that problem is egress filtering of spoofed traffic at 
the ISP-level. [1]  I'd be happier if named grew a mechanism to rate-limit 
queries made by foreign networks (or local ones, for that matter), rather than 
this change. [2]

-- 
-Chuck

[1]: http://www.mit.edu/~rbeverly/papers/spoofer-sruti05.html

[2]: serial-query-rate exists, but isn't really what's needed.

Perhaps no change in BIND is going to solve the broader problem that 25% of 
the netblocks out there permit spoofing-- a more generalized solution in the 
network stack (similar to net.inet.icmp.icmplimit) rather than in a specific 
application might do, or perhaps at the firewall level via dummynet or equivalent.

> Index: named.conf
> ===================================================================
> RCS file: /home/ncvs/src/etc/namedb/named.conf,v
> retrieving revision 1.22
> diff -u -p -r1.22 named.conf
> --- named.conf	5 Sep 2005 13:42:22 -0000	1.22
> +++ named.conf	7 Jun 2006 21:56:26 -0000
> _at__at_ -30,6 +30,13 _at__at_ options {
>  //
>  //      forward only;
> 
> +// Prevent external networks from using us to query domains we are not
> +// authoritative for.
> +//
> +	allow-recursion {
> +		localhost;

Surely this should be localnets...?

> +	};
> +
>  // If you've got a DNS server around at your upstream provider, enter
>  // its IP address here, and enable the line below.  This will make you
>  // benefit from its cache, thus reduce overall DNS traffic in the Internet.
> 
Received on Thu Jun 08 2006 - 04:08:44 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC