conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration
Maxim Konovalov
maxim.konovalov at gmail.com
Wed Apr 3 12:10:01 UTC 2013
The following reply was made to PR conf/177607; it has been noted by GNATS.
From: Maxim Konovalov <maxim.konovalov at gmail.com>
To: Mark Knight <markk at lnigma.org>
Cc: bug-followup at freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
dangerous BIND configuration
Date: Wed, 3 Apr 2013 16:03:04 +0400 (MSK)
Hello,
[...]
> >Description:
>
> The comment in the default named.conf encourages users to slave the root but does not provide
> an example configuration that prevent a name server being used as an amplifier in DDOS attacks.
> Users who adopt this configuration by uncommenting the supplied entries are likely to receive
> abuse reports or be unwitting participants in a DDOS attack.
> >How-To-Repeat:
> Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the Internet.
With the "listen-on { 127.0.0.1; };" at the line 22 it won't hurt
anybody. If you are going to change this setting than you have more
work to secure your named server.
--
Maxim Konovalov
More information about the freebsd-bugs
mailing list