Dropping external recursive requests

Alberto Colosi/SI/RM/GSI/it alberto.colosi at sistinf.it
Wed Dec 3 23:34:29 UTC 2008


why not? beter handled by isc and done in a clean way then 1.000.000 of 
dirty ways as these ;)

-------------------------------
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






Mark Andrews <Mark_Andrews at isc.org> 
Sent by: bind-users-bounces at lists.isc.org
04/12/2008 00.26

To
bind-users at isc.org
cc

Subject
Re: Dropping external recursive requests







One needs to be really, really careful here.  There are lots of
unverifiable assumptions in the OP query.  Also rd being set my
just be the result of someone testing with a tool which sets rd by
default.

Going silent on a query reponses protocol is not a good idea.  There
are already too many firewalls / nameservers that do this to
legitimate queries.  We really don't want to encourage this sort
of behaviour.

If it is a forged packet it should be dropped regardless of the setting
of RD.  If the only reason to think the packet is forged is the setting
of RD=1 then the OP has committed a reasoning error.

Mark

In message <1228329427.23380.8.camel at vlab.buxton.lan>, Chris Buxton 
writes:
> That ought to work, and work well.
> 
> This will not impact outside name servers that query your name server,
> because they send iterative queries. If they're sending recursive
> queries, they're abusing your server. I can't see any problems with this
> approach.
> 
> If you have authoritative data in the third view, make sure that when
> the first view wants to look it up, its iterative query to the server
> machine itself is routed through to the third view (rather than being
> captured by the first view).
> 
> Chris Buxton
> Men & Mice
> 
> On Tue, 2008-12-02 at 17:10 -0800, john at feith.com wrote:
> > Our DNS server occasionally get requests for recursion with forged src
> > addresses.
> > Currently our server returns "Standard query response, Refused" since
> > our named.conf
> > only allows recursion for our internal machines.  This, of course,
> > results in the poor
> > machine whose address was forged receiving spurious traffic.
> > 
> > Some of the Cisco firewalls support DNS inspection and can be
> > configured to drop
> > requests which want recursion.  What are the ramifications of enabling
> > this?
> > 
> > Can bind be configured to do this?  I was thinking about something
> > like:
> > 
> > view "internal" {
> >   match-clients { localhost; localnets; };
> >   ...
> > }
> > 
> > view "external-recursive" {
> >   match-clients { any; };
> >   match-recursive-only yes;
> >   blackhole { any};
> > }
> > 
> > view "external" {
> >   ...
> > }
> > 
> > -- John
> > john at feith.com
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081204/fc702476/attachment.html>


More information about the bind-users mailing list