DNS "Zone Update" Attack
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Tue Nov 29 05:01:33 UTC 2005
Today I noticed that one of our external name servers was under a heavy load.
A site in India was attempting to perform DNS updates on our corporate zone
files. Most of the attempts involved valid host names in domains that are
not exposed to the Internet.
One question is has anyone observed this type of behaviour either currently or
in the past?
A second question is what is the best way to defeat attempts to update DNS
zone files?
There appears to be two ways of doing this in BIND 9.3.1. The first would be
to add the following to each zone statement.
allow-updates { none; };
I'm not sure that the above syntax is correct. The second would be to add the
following to the options statement.
blackhole { 202.54.91.119; };
The latter seems easier to manage but may have unexpected side-effects. By
the way, that is the IP address of the system attempting to update our DNS
zones.
Any suggestion or recommendations?
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the bind-users
mailing list