allow-query for non authoritative zones

Ladislav Vobr lvobr at ies.etisalat.ae
Fri Aug 22 14:30:44 UTC 2003


There are many real situations, when the ip addresses are not spoofed, 
and might be possible most of your valid recursion desired clients, for 
example viruses, worms, trojan horses. In this case bind does not offer 
any mechanism, and many times people raised this point here in the list, 
that caching time-outs might be very useful in such a cases. Even if you 
split your authoritative and recursive services, you still have no way 
how to stop you recursive name server go down if situation like I 
mentioned happen. Caching time-outs would help 100% in my opinion

Ladislav

Kevin Darcy wrote:

>"Seme, Markus" wrote:
>
>  
>
>>Hi,
>>i want block queries from several, different Source-IP's (spoofed) to
>>the same domain ( DOS ).
>>The domain is not under my authorization - for example microsoft.com
>>!?
>>
>>It's easy to konfigure BIND9 with acl and allow-query for local zones
>>( in my authorization ) - for example:
>>
>>zone "local.com" {
>>        type master;
>>        file "local.com.zone";
>>        allow-query { none; };
>>};
>>
>>But i haven't any idea how i should configure it to block the queries
>>for an domain who is not under my authorization !
>>
>>Or is there any other way to block such DOS ?
>>    
>>
>
>Generally speaking, this is better handled by restricting recursion.
>Unless you already have the answer cached, the only way your nameserver
>can get information about zones for which it is not authoritative, is by
>recursing to get the answer. So, no recursion = no answer (more or
>less). In order to lessen the chance of the answer being cached (and
>therefore being returned even in the absence of recursion), it is
>recommended to completely segregate your recursive and non-recursive
>nameservice.
>
>
>- Kevin
>
>
>
>  
>



More information about the bind-users mailing list