Advisory Notice for Bind Default Configuration and Reflector Attacks

Paul Vixie paul at vix.com
Thu Mar 23 18:21:47 UTC 2006


# 	(i cross-posted to bind9 and bind because i am unsure if they are
# 	still separate or not)

that's fine, i think they go to the same place internally.  but just in case,
i will likewise send to both lists.

# > The default configuration (open recursive servers) could potentially
# > leave your systems vulnerable to being used in malicious attacks.
# > We strongly advise you to reconfigure the recursive servers to
# > mitigate this risk.
# 
# my home was under the attack.  bad guys sent "MX for msn.com" and stuff.
# 
# even though i restrict recursion, my server returned list of TLD servers (13
# .com servers, packet size is almost 512 bytes).  so even though there is not
# traffic increse, i see 1 return packet against 1 attack packet.  is it
# intentional, or am i using too old code?

allow-recursion was a bad idea and i apologize for its existence.  it should
be deprecated in my opinion.  what you need is allow-query, which means either
that you'll have to run recursive nameservice on a different ip listener
address than authority service (which i recommend for other strong reasons),
or you'll have to set up a multilevel config file as follows:

	# global settings
	options {
		...
		recursion yes;
		allow-query { localnets; };
		...
	};
	
	# for every zone
	zone ... {
		allow-query { any; };
	};

i don't know what to do about allow-recursion, it enables logic that never
does anything useful and often/usually does something harmful, yet it's in
our config syntax now and therefore impossible to quickly get rid of.


More information about the bind-workers mailing list