DDOS attack Bind 9.9 - P2

Vernon Schryver vjs at rhyolite.com
Fri May 3 20:13:47 UTC 2013

> From: <rohan.henry at cwjamaica.com>

> >What if both authoritative and recursive are running on the same
> >server since RRL does not apply to recursive servers?

> Found the answer to below.
> According to isc-tn-2012-1.txt hybrid authority/recursive servers
> are out of scope.

I disagree.  What isc-tn-2012-1.txt says is 
                                      Deliberately open recursive DNS
   servers, or hybrid authority/recursive servers or server views, are
   outside the scope of ***THIS DOCUMENT.***  (emphasis added)

Recursive servers should be closed instead of open to the Internet.
When a single BIND instance is used for both local recursive service
and global authoritative service, a good way to close the recursive
service to the Internet while providing authoritative service to the
Internet is with two views.  The external view can disable recursion
and include a rate-limit{} statement to apply RRL to responses to
external DNS clients.  Another way to close recursion to the Internet
is to use allow-recursion{address-match-list}; and
rate-limit{exempt-clients{address-match-list}}; statements in the main
options statement.

If you must keep your recursive server open, Internet, then you MUST
do some sort of rate limiting.  If you cannot do rate limiting that
is even fancier than RRL such as Google's, then an open recursive
server with RRL is far better than a naked open recursive DNS server.
See https://developers.google.com/speed/public-dns/docs/security#rate_limit

The problem with RRL on recursive servers is that it works.  Any rate
limiting sufficiently low to minimize the danger of DNS reflection DoS
attacks including RRL can affect applications such as web browsers and
SMTP servers (mail receivers) that send bursts of identical DNS requests.
With RRL, those effects are generally limited to pauses and slow downs
as affected applications time out and retry.

Vernon Schryver    vjs at rhyolite.com

More information about the bind-users mailing list