named recursive queries
Chuck Swiger
cswiger at mac.com
Thu Jun 8 06:08:47 UTC 2006
Maxim Konovalov wrote:
> [ Bikeshed zone ]
>
> I think we need to stop spread misconfigured named's too.
> Any objections?
It seems clear that people who want to run a recursive nameserver will be able
to change this if your proposed change is made. However, which problem that
you are trying to solve with it?
Yes, people can send queries with a spoofed sender to perform a DoS, and yes,
permitting recursive queries lets the attacker choose a large response from
any zone rather than having to tailor the attack to each nameserver.
But querying each individual nameserver for the SOA record of it's domain
would do just about as well for a DoS, and besides, you can construct a DoS
attack using spoofed traffic via any open service, from chargen to HTTP....
The right solution to that problem is egress filtering of spoofed traffic at
the ISP-level. [1] I'd be happier if named grew a mechanism to rate-limit
queries made by foreign networks (or local ones, for that matter), rather than
this change. [2]
--
-Chuck
[1]: http://www.mit.edu/~rbeverly/papers/spoofer-sruti05.html
[2]: serial-query-rate exists, but isn't really what's needed.
Perhaps no change in BIND is going to solve the broader problem that 25% of
the netblocks out there permit spoofing-- a more generalized solution in the
network stack (similar to net.inet.icmp.icmplimit) rather than in a specific
application might do, or perhaps at the firewall level via dummynet or equivalent.
> Index: named.conf
> ===================================================================
> RCS file: /home/ncvs/src/etc/namedb/named.conf,v
> retrieving revision 1.22
> diff -u -p -r1.22 named.conf
> --- named.conf 5 Sep 2005 13:42:22 -0000 1.22
> +++ named.conf 7 Jun 2006 21:56:26 -0000
> @@ -30,6 +30,13 @@ options {
> //
> // forward only;
>
> +// Prevent external networks from using us to query domains we are not
> +// authoritative for.
> +//
> + allow-recursion {
> + localhost;
Surely this should be localnets...?
> + };
> +
> // If you've got a DNS server around at your upstream provider, enter
> // its IP address here, and enable the line below. This will make you
> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
>
More information about the freebsd-current
mailing list