[RndTbl] DNS Amplification DoS

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Mon Sep 17 14:42:28 CDT 2012


On 2012-09-17 14:36, Gilles Detillieux wrote:
> My understanding is that open DNS servers that allow unrestricted
> recursion are frowned upon these days, for the very reasons for which
> you've expressed concern.  I believe best practice nowadays is to
> specify a limited set of subnets for which you allow recursion. For
> example, at the U of M we'll typically include something like the
> following in the "options" section of our named.conf files, to prevent
> recursive lookups from outside users:
>
>      allow-recursion {
>          140.193.0.0/16;
>          130.179.0.0/16;
>      };

Another way of doing this, which would allow even more flexibility in 
configuring BIND for internal vs external access is to define two views:

view internal_resolver {
         match-clients      { YOUR.SUB.NET.ADDR/CIDR; };
         match-destinations { YOUR.SUB.NET.ADDR/CIDR; };
         recursion yes;
         include "/etc/named.internal.zones";
};

view external_resolver {
         match-clients      { any; };
         recursion no;
         include "/etc/named.external.zones";
};

-- 
Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609


More information about the Roundtable mailing list