named recursive queries
Maxim Konovalov
maxim at macomnet.ru
Thu Jun 8 06:50:04 UTC 2006
On Wed, 7 Jun 2006, 23:29-0400, Chuck Swiger wrote:
> Maxim Konovalov wrote:
> > [ Bikeshed zone ]
> >
> > I think we need to stop spread misconfigured named's too.
> > Any objections?
>
> It seems clear that people who want to run a recursive nameserver
> will be able to change this if your proposed change is made.
> However, which problem that you are trying to solve with it?
>
> Yes, people can send queries with a spoofed sender to perform a DoS,
> and yes, permitting recursive queries lets the attacker choose a
> large response from any zone rather than having to tailor the attack
> to each nameserver.
>
> But querying each individual nameserver for the SOA record of it's domain
By default there are master zones (hence SOA records) for
0.0.127.IN-ADDR.ARPA and ipv6 localhost ARPA in our named.conf.
Queries to them should be limited by the same ACL.
> would do just about as well for a DoS, and besides, you can construct a DoS
> attack using spoofed traffic via any open service, from chargen to HTTP....
That's why we don't have chargen turned on by default. For HTTP an
amplification is ~1 and personally I don't know a way to construct an
effective DoS.
> The right solution to that problem is egress filtering of spoofed
> traffic at the ISP-level. [1] I'd be happier if named grew a
> mechanism to rate-limit queries made by foreign networks (or local
> ones, for that matter), rather than this change. [2]
I agreed that the problem in general should be solved by complete
TCP/IP and Internet redesign :-) but personally I just want we stop to
spread an incorrect named config and make people to think a minute and
to learn a bit _before_ they run an authorized or recursive name
server based on our example config. It's just a question of being a
good netizens. A lemming argument - all *BSD already doing that.
--
Maxim Konovalov
More information about the freebsd-current
mailing list