DNS "Zone Update" Attack

Merton Campbell Crockett mcc at CATO.GD-AIS.COM
Tue Nov 29 05:01:33 UTC 2005

Today I noticed that one of our external name servers was under a heavy load.  
A site in India was attempting to perform DNS updates on our corporate zone 
files.  Most of the attempts involved valid host names in domains that are 
not exposed to the Internet.

One question is has anyone observed this type of behaviour either currently or 
in the past?

A second question is what is the best way to defeat attempts to update DNS 
zone files?

There appears to be two ways of doing this in BIND 9.3.1.  The first would be 
to add the following to each zone statement.

	allow-updates { none; };

I'm not sure that the above syntax is correct.  The second would be to add the 
following to the options statement.

	blackhole {; };

The latter seems easier to manage but may have unexpected side-effects.  By 
the way, that is the IP address of the system attempting to update our DNS 

Any suggestion or recommendations?

Merton Campbell Crockett

BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

More information about the bind-users mailing list