please review Bv9ARM-book changes for integrating AusCERT AL-1999.004

Peter Koch pk at DENIC.DE
Mon Apr 30 13:24:23 UTC 2007


Hi,

I agree with most of what Andras said.

> > Bv9ARM-book.xml? What needs to be rewritten or improved? Does the AusCERT 
> > AL-1999.004 even matter in 2007?
> 
> A lot of this is redundant considering the rest of the ARM.

a similar attack was launched in early 2006, so the basic issue is still
existent. However, all these recommendations do not protect the server from
DDoS, trhey protect it from being exploited as an accomplice.

> As far as I know, yes -- but I am not familiar with how widely used
> ingress filtering has become in the intervening period.  The people
> on DNSOP might be able to help with that.  My impression is that this

The IETF DNSOP WG prepared a document "Preventing Use of Recursive Nameservers
in Reflector Attacks" <draft-ietf-dnsop-reflectors-are-evil-03.txt>, which
will be submitted to the IESG for publication as a BCP RFC soon.

The basic recommendation (aiming at name server vendors/operators) is not to
provide recursive service by default. In addition, you might want to point
out that for DNS security reasons you not only do not want to provide
recursion to random queriers, you also do not want to offer access to your
cache content.

> not allowing zone transfers seems completely unnecessary to address
> the concern about DDoS.  Zone transfers are done via TCP, which
> means attempts at zone transfers will fail (whether allowed or not)

Agreed, the DoS myth w.r.t. zone transfers is bad and would only be reality
for really huge zones. This is less about spoofed source addresses but
about consuming ersources on the server. However, TCP connection setup and
tear down is almost the same for refused AXFRs as is for any DNS query sent
via TCP (and you'd not refuse those).

> > 9.3 Limiting Version Number Availability
> > 
> > Allowing the version number of any software to be known 
> > to everyone is usually undesirable.
> 
> This is a point that can be debated.  An example of how to turn it
> off is useful, a diatribe about why it should be turned off is not.

While "security by obscurity" should not generally be encouraged (DNS
fingerprinting works quite well), the "version" statement in BIND 9
allows for easier obfuscation than setting up a zone.

-Peter


More information about the bind-workers mailing list