DNS "Zone Update" Attack
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Tue Nov 29 16:24:57 UTC 2005
On Tue, 29 Nov 2005, Stefan Puiu wrote:
> I think the default in BIND 9.3.1 is to not allow any DDNS updates, so no
> change is required from the default. You have to explicitly state some
> update-policy or allow-update statement in order to permit updates.
Understood. The dynamic DNS update requests were being rejected; however,
the activity did consume resources.
A complicating factor is that our IT department insisted that I move the
external name server from a BSD/OS to a Linux -based system. The latter
isn't POSIX thread compliant or, at least, I assume its still not
compliant as BIND complains that it is not able to take advantage of the
dual-processor hardware.
I do not intend to honour dynamic DNS update requests on this server. I
want to minimise the resources needed to log the event and terminate the
request as quickly as possible.
So, the question boils down to what is the best way to terminate DNS
requests that you do not intend to support?
> On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
> >
> >
> > There appears to be two ways of doing this in BIND 9.3.1. The first
> > would be to add the following to each zone statement.
> >
> > allow-updates { none; };
> >
> > I'm not sure that the above syntax is correct. The second would be to
> > add the following to the options statement.
> >
> > blackhole { 202.54.91.119; };
> >
> > The latter seems easier to manage but may have unexpected
> > side-effects. By the way, that is the IP address of the system
> > attempting to update our DNS zones.
> >
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems;
IT and Engineering Support
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the bind-users
mailing list