From owner-freebsd-current@FreeBSD.ORG Thu Jun 8 06:08:44 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02B5F16C427; Thu, 8 Jun 2006 03:30:09 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C3E743D46; Thu, 8 Jun 2006 03:30:09 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id EB98B5D3A; Wed, 7 Jun 2006 23:30:08 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTczDCLfjFUE; Wed, 7 Jun 2006 23:30:08 -0400 (EDT) Received: from [192.168.1.251] (pool-68-160-201-170.ny325.east.verizon.net [68.160.201.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id B65D45D25; Wed, 7 Jun 2006 23:30:07 -0400 (EDT) Message-ID: <448799B6.8080709@mac.com> Date: Wed, 07 Jun 2006 23:29:58 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Maxim Konovalov References: <20060608015022.Y52876@mp2.macomnet.net> In-Reply-To: <20060608015022.Y52876@mp2.macomnet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: dougb@freebsd.org, current@freebsd.org Subject: Re: named recursive queries X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 06:08:47 -0000 Maxim Konovalov wrote: > [ Bikeshed zone ] > > I think we need to stop spread misconfigured named's too. > Any objections? It seems clear that people who want to run a recursive nameserver will be able to change this if your proposed change is made. However, which problem that you are trying to solve with it? Yes, people can send queries with a spoofed sender to perform a DoS, and yes, permitting recursive queries lets the attacker choose a large response from any zone rather than having to tailor the attack to each nameserver. But querying each individual nameserver for the SOA record of it's domain would do just about as well for a DoS, and besides, you can construct a DoS attack using spoofed traffic via any open service, from chargen to HTTP.... The right solution to that problem is egress filtering of spoofed traffic at the ISP-level. [1] I'd be happier if named grew a mechanism to rate-limit queries made by foreign networks (or local ones, for that matter), rather than this change. [2] -- -Chuck [1]: http://www.mit.edu/~rbeverly/papers/spoofer-sruti05.html [2]: serial-query-rate exists, but isn't really what's needed. Perhaps no change in BIND is going to solve the broader problem that 25% of the netblocks out there permit spoofing-- a more generalized solution in the network stack (similar to net.inet.icmp.icmplimit) rather than in a specific application might do, or perhaps at the firewall level via dummynet or equivalent. > Index: named.conf > =================================================================== > RCS file: /home/ncvs/src/etc/namedb/named.conf,v > retrieving revision 1.22 > diff -u -p -r1.22 named.conf > --- named.conf 5 Sep 2005 13:42:22 -0000 1.22 > +++ named.conf 7 Jun 2006 21:56:26 -0000 > @@ -30,6 +30,13 @@ options { > // > // forward only; > > +// Prevent external networks from using us to query domains we are not > +// authoritative for. > +// > + allow-recursion { > + localhost; Surely this should be localnets...? > + }; > + > // If you've got a DNS server around at your upstream provider, enter > // its IP address here, and enable the line below. This will make you > // benefit from its cache, thus reduce overall DNS traffic in the Internet. >