Recursion question + trust?
Mark Andrews
Mark_Andrews at isc.org
Mon Mar 27 14:24:49 UTC 2006
> It seems that the advice at the moment is to disable recursion to everyone ap
> art from customers, the reasoning being that customers are trustworthy and wo
> n't poison or knowingly poison the DNS server.
> Since this isn't true, I don't know what to do.
>
> I read this on webhostingtalk:
>
> "For example, I'm a spammer. I create a hostname for spam, something.myspam.t
> ld.
>
> After that, I query your DNS server to resolve the host something.myspam.tld.
> It resolves that host and stores the info in its cache. All further requests
> for that host do not result in propagated lookups but are answered by the se
> rver from its cache, until the exipration for the zone occurs.
>
> After that, I set your DNS server as the authoritative server for my zone wit
> h the domain registrar.
>
> After that, I start sending spam.
>
> Now, you are screwed because it looks as if your DNS server is being used for
> spam. "
>
>
> If this is true, how can I possibly guard against it (without allowing custom
> ers to poison the dns)?
> What do (or maybe "should" is better word) big ISPs do?
You set your access controls appropriately so only the
recusive-clients can see the cache. Block queries at
the options level and allow them at the zone level.
acl recusive-clients { .... };
options {
allow-recusion { recusive-clients; };
allow-query { recusive-clients; };
};
zone example.com {
....
allow-query { any; };
};
If the domain registrar was doing their job they would be
checking that the zone was being served by your servers
before allowing the registration changes to proceed.
i.e.
that they get two authoritative answers for the zone
with non-zero ttls from each of the servers.
If they did the checks then the above scam wouldn't work.
It would also catch lots of silly configuration errors
leading to a more reliable DNS.
Similarly the registry should be demanding that the above
checks are being performed. Some registries do this but
not all.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list