[RndTbl] DNS Amplification DoS
Gilles Detillieux
grdetil at scrc.umanitoba.ca
Mon Sep 17 15:21:51 CDT 2012
On 17/09/2012 3:07 PM, Sean Cody wrote:
>> Another way of doing this, which would allow even more flexibility in configuring BIND for internal vs external access is to define two views:
>>
>> view internal_resolver {
>> match-clients { YOUR.SUB.NET.ADDR/CIDR; };
>> match-destinations { YOUR.SUB.NET.ADDR/CIDR; };
>> recursion yes;
>> include "/etc/named.internal.zones";
>> };
>>
>> view external_resolver {
>> match-clients { any; };
>> recursion no;
>> include "/etc/named.external.zones";
>> };
>>
> I agree this is a much better solution.
> It also allows a buy of flexibility for dealing with the same domain in different security domains (ie. serverA is 10/X inside and 4.5.6.7 outside). Keepin naming consistent across zones AND insuring internal resolvers for the same domain include external views as well is about 100 times easier to do with bind views.
In which version of BIND were views introduced? I wasn't aware of this
feature, and I can think of something I implemented this spring that
would likely have been MUCH easier to do with this feature. Does bind
use the first matching view for a given client address, in cases where
an address could match multiple "match-client" patterns?
--
Gilles R. Detillieux E-mail: <grdetil at scrc.umanitoba.ca>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 0J9 (Canada)
More information about the Roundtable
mailing list