DNS "Zone Update" Attack

Stefan Puiu stefan.puiu at gmail.com
Tue Nov 29 12:45:34 UTC 2005

I think the default in BIND 9.3.1 is to not allow any DDNS updates, so no
change is required from the default. You have to explicitly state some
update-policy or allow-update statement in order to permit updates.
On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
> There appears to be two ways of doing this in BIND 9.3.1.  The first would
> be
> to add the following to each zone statement.
>         allow-updates { none; };
> I'm not sure that the above syntax is correct.  The second would be to add
> the
> following to the options statement.
>         blackhole {; };
> The latter seems easier to manage but may have unexpected
> side-effects.  By
> the way, that is the IP address of the system attempting to update our DNS
> zones.

More information about the bind-users mailing list