[RndTbl] DNS Amplification DoS
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Mon Sep 17 14:42:28 CDT 2012
On 2012-09-17 14:36, Gilles Detillieux wrote:
> My understanding is that open DNS servers that allow unrestricted
> recursion are frowned upon these days, for the very reasons for which
> you've expressed concern. I believe best practice nowadays is to
> specify a limited set of subnets for which you allow recursion. For
> example, at the U of M we'll typically include something like the
> following in the "options" section of our named.conf files, to prevent
> recursive lookups from outside users:
>
> allow-recursion {
> 140.193.0.0/16;
> 130.179.0.0/16;
> };
Another way of doing this, which would allow even more flexibility in
configuring BIND for internal vs external access is to define two views:
view internal_resolver {
match-clients { YOUR.SUB.NET.ADDR/CIDR; };
match-destinations { YOUR.SUB.NET.ADDR/CIDR; };
recursion yes;
include "/etc/named.internal.zones";
};
view external_resolver {
match-clients { any; };
recursion no;
include "/etc/named.external.zones";
};
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list