Date: Thu, 8 Jun 2006 08:15:40 +0400 (MSD) From: Maxim Konovalov <maxim@macomnet.ru> To: Chuck Swiger <cswiger@mac.com> Cc: dougb@freebsd.org, current@freebsd.org Subject: Re: named recursive queries Message-ID: <20060608074705.Q6097@mp2.macomnet.net> In-Reply-To: <448799B6.8080709@mac.com> References: <20060608015022.Y52876@mp2.macomnet.net> <448799B6.8080709@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Jun 2006, 23:29-0400, Chuck Swiger wrote: > Maxim Konovalov wrote: > > [ Bikeshed zone ] > > > > I think we need to stop spread misconfigured named's too. > > Any objections? > > It seems clear that people who want to run a recursive nameserver > will be able to change this if your proposed change is made. > However, which problem that you are trying to solve with it? > > Yes, people can send queries with a spoofed sender to perform a DoS, > and yes, permitting recursive queries lets the attacker choose a > large response from any zone rather than having to tailor the attack > to each nameserver. > > But querying each individual nameserver for the SOA record of it's domain By default there are master zones (hence SOA records) for 0.0.127.IN-ADDR.ARPA and ipv6 localhost ARPA in our named.conf. Queries to them should be limited by the same ACL. > would do just about as well for a DoS, and besides, you can construct a DoS > attack using spoofed traffic via any open service, from chargen to HTTP.... That's why we don't have chargen turned on by default. For HTTP an amplification is ~1 and personally I don't know a way to construct an effective DoS. > The right solution to that problem is egress filtering of spoofed > traffic at the ISP-level. [1] I'd be happier if named grew a > mechanism to rate-limit queries made by foreign networks (or local > ones, for that matter), rather than this change. [2] I agreed that the problem in general should be solved by complete TCP/IP and Internet redesign :-) but personally I just want we stop to spread an incorrect named config and make people to think a minute and to learn a bit _before_ they run an authorized or recursive name server based on our example config. It's just a question of being a good netizens. A lemming argument - all *BSD already doing that. -- Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060608074705.Q6097>