On Wed, 7 Jun 2006, 23:29-0400, Chuck Swiger wrote: > Maxim Konovalov wrote: > > [ Bikeshed zone ] > > > > I think we need to stop spread misconfigured named's too. > > Any objections? > > It seems clear that people who want to run a recursive nameserver > will be able to change this if your proposed change is made. > However, which problem that you are trying to solve with it? > > Yes, people can send queries with a spoofed sender to perform a DoS, > and yes, permitting recursive queries lets the attacker choose a > large response from any zone rather than having to tailor the attack > to each nameserver. > > But querying each individual nameserver for the SOA record of it's domain By default there are master zones (hence SOA records) for 0.0.127.IN-ADDR.ARPA and ipv6 localhost ARPA in our named.conf. Queries to them should be limited by the same ACL. > would do just about as well for a DoS, and besides, you can construct a DoS > attack using spoofed traffic via any open service, from chargen to HTTP.... That's why we don't have chargen turned on by default. For HTTP an amplification is ~1 and personally I don't know a way to construct an effective DoS. > The right solution to that problem is egress filtering of spoofed > traffic at the ISP-level. [1] I'd be happier if named grew a > mechanism to rate-limit queries made by foreign networks (or local > ones, for that matter), rather than this change. [2] I agreed that the problem in general should be solved by complete TCP/IP and Internet redesign :-) but personally I just want we stop to spread an incorrect named config and make people to think a minute and to learn a bit _before_ they run an authorized or recursive name server based on our example config. It's just a question of being a good netizens. A lemming argument - all *BSD already doing that. -- Maxim KonovalovReceived on Thu Jun 08 2006 - 04:50:04 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC