preventing external use of nameserver for non-authoritative zones

Robin Stevens robin.stevens at computing-services.oxford.ac.uk
Mon Feb 5 11:41:21 UTC 2001


On Thu, Feb 01, 2001 at 11:04:12AM -0700, Cricket Liu wrote:
> > I'm attempting to lock down our nameservers to prevent arbitrary hosts
> > from getting responses to arbitrary queries, as recommended by the CIAC
> > bulletin http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
> >
> > Mostly, there's no problem: I can lock things down such that internal
> > users can use our servers for all requests, but external users may only
> > use them for the zones for which we are authoritative.
 
> Instead of using a query access control list, you could use the
> allow-recursion substatement introduced in BIND 8.2.1 to restrict
> recursive queries to clients on your network.

As far as restricting external usage of the nameservers goes, this does the
job, but it's been pointed out that as regards the risk as described in the
CIAC bulletin, it doesn't actually help much.  The payload returned even
for nonrecursive queries can be quite large.  For instance a query on
www.cam.ac.uk. will result in seven nameservers for cam.ac.uk. being
returned (comparable to the amount of data being returned when one of our
servers was used as part of a DoS attack recently); other queries will no
doubt return more data.

	Robin
-- 
--------------- Robin Stevens  <robin.stevens at oucs.ox.ac.uk> -----------------
Oxford University Computing Services  http://www-astro.physics.ox.ac.uk/~rejs/
 (+44)(0)1865: 726796 (home) 273212 (work)  273275 (fax)  Mobile: 07776 235326


More information about the bind-users mailing list