DDOS prevention - how to restrict queries to hint (root) zones?

Mark Andrews Mark_Andrews at isc.org
Tue Feb 3 11:17:35 UTC 2009

In message <1233658532.12933.42.camel at muccalla.uninsubria.it>, MAtteo HCE Valsa
sna writes:
> hi all,
> We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
> package), that do both recursive queries for internal clients (with
> proper allow-recursion clause) and authoritative servers for the
> institution's domain.
> There are reports of DDOS attacks based on DNS requests for the root
> zone with spoofed source IP address: 
> * the attacker sends a request for the root zone with spoofed source
> address to a DNS server 
> * The intermediate victim (DNS server) sends the reply packet -
> significatively larger than the request - to the ultimate victim (the
> owner of the spoofed source IP address in the request packet).
> * the ultimate victim connection is flooded
> http://isc.sans.org/diary.html?storyid=5773
> I verified that our servers reply when queried from a non-trusted source
> address for the root zone. (and we must also notice that the
> "non-trusted source address" argument is pretty pointless when dealing
> with spoofed source addresses: if a query with a spoofed internal source
> address could reach the server, the server would just DDOS an internal
> machine. But we do discard inbound packets with internal source IP
> addresses on the network border).
> The first answer to this threat would be to disallow queries for the
> root zone would for any client (the root zone is used only by the server
> itself, right?).
> * Do you think there is any reason NOT do do this? 
> * Do you know a simple way to do this?
>         the trivial solution of adding an allow-query clause to the root
>         zone definition is refused by the server, as hint type zones
>         cannot have an allow-query clause - see
>         https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
>         there is possibly a way to do this using views, but...
>         anything simpler?

	options {
		allow-query { recusrsive-clients; };
		allow-recursion { recusrsive-clients; };
	zone {
		type (slave|master);
		allow-query { any; };
	Or upgrade to BIND 9.4 or later and use allow-query-cache,
	BIND 9.3 is past end-of-life.


> best regards and thanks for any answer
> MAtteo Valsasna
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list