Date: Wed, 07 Jun 2006 23:29:58 -0400 From: Chuck Swiger <cswiger@mac.com> To: Maxim Konovalov <maxim@macomnet.ru> Cc: dougb@freebsd.org, current@freebsd.org Subject: Re: named recursive queries Message-ID: <448799B6.8080709@mac.com> In-Reply-To: <20060608015022.Y52876@mp2.macomnet.net> References: <20060608015022.Y52876@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Konovalov wrote: > [ Bikeshed zone ] > > I think we need to stop spread misconfigured named's too. > Any objections? It seems clear that people who want to run a recursive nameserver will be able to change this if your proposed change is made. However, which problem that you are trying to solve with it? Yes, people can send queries with a spoofed sender to perform a DoS, and yes, permitting recursive queries lets the attacker choose a large response from any zone rather than having to tailor the attack to each nameserver. But querying each individual nameserver for the SOA record of it's domain would do just about as well for a DoS, and besides, you can construct a DoS attack using spoofed traffic via any open service, from chargen to HTTP.... The right solution to that problem is egress filtering of spoofed traffic at the ISP-level. [1] I'd be happier if named grew a mechanism to rate-limit queries made by foreign networks (or local ones, for that matter), rather than this change. [2] -- -Chuck [1]: http://www.mit.edu/~rbeverly/papers/spoofer-sruti05.html [2]: serial-query-rate exists, but isn't really what's needed. Perhaps no change in BIND is going to solve the broader problem that 25% of the netblocks out there permit spoofing-- a more generalized solution in the network stack (similar to net.inet.icmp.icmplimit) rather than in a specific application might do, or perhaps at the firewall level via dummynet or equivalent. > Index: named.conf > =================================================================== > RCS file: /home/ncvs/src/etc/namedb/named.conf,v > retrieving revision 1.22 > diff -u -p -r1.22 named.conf > --- named.conf 5 Sep 2005 13:42:22 -0000 1.22 > +++ named.conf 7 Jun 2006 21:56:26 -0000 > @@ -30,6 +30,13 @@ options { > // > // forward only; > > +// Prevent external networks from using us to query domains we are not > +// authoritative for. > +// > + allow-recursion { > + localhost; Surely this should be localnets...? > + }; > + > // If you've got a DNS server around at your upstream provider, enter > // its IP address here, and enable the line below. This will make you > // benefit from its cache, thus reduce overall DNS traffic in the Internet. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?448799B6.8080709>